3d83bd98c2c741ddd28642f11f98ce4038442a2aa95a636ab664c82c03b8badc

Analysis

max time kernel
101s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe
Size

133KB
MD5

8ec30d64f460f0d80729fe2cbc74160d
SHA1

c4b0d00909390d4d4981ef644ba0e9771c64c3e6
SHA256

3d83bd98c2c741ddd28642f11f98ce4038442a2aa95a636ab664c82c03b8badc
SHA512

faefe185844b575ee4033d35d6a5e0782191ef702bf35650e6913c54ef1a1202ecc77d13d4d0cf25ef5a16d37b268650d5d48a7ef299793ccea3f5ab438d6cf5
SSDEEP

3072:T0fubj0EL97H3uZI6t4CQuz6lwt68JmbRPKU:T24D7HeL2I6lwpJmbl

Score

10^/10

discovery evasion upx

Malware Config

Signatures

Modifies security service 2 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
49	5348	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
1764	lrswns.exe
5044	vqwbyr.exe
4768	izdebq.exe
5088	vqfgjy.exe
4064	idpwpu.exe
4044	skbuzt.exe
964	fbwwqb.exe
220	soomwf.exe
1884	gbxkcb.exe
116	qlmmpe.exe
4640	dyekvi.exe
4588	kcopmt.exe
1984	xpyfsx.exe
4052	lcpcyb.exe
2604	yphsde.exe
1560	iawcrh.exe
1932	vjdfuz.exe
624	iaxich.exe
3036	vnpyil.exe
3704	fyeido.exe
1228	sloyjk.exe
3440	fyfvpo.exe
860	tlxlvs.exe
2828	dgqwcm.exe
2916	qiwloz.exe
804	dvnbbu.exe
2792	qixrhy.exe
3484	atubub.exe
1400	ncbmxb.exe
2272	atvggb.exe
880	ngfemf.exe
4292	pqcphi.exe
3876	dajrki.exe
4372	qqdutq.exe
4784	ddnkym.exe
4460	nokump.exe
2816	abukst.exe
4952	nolzxw.exe
228	xnqxqv.exe
3124	kwwitv.exe
4972	uhlsgq.exe
1260	iudimu.exe
3792	vhmxsx.exe
4364	fdnqzs.exe
952	vtzqgb.exe
3464	cauqaz.exe
3652	pnmggv.exe
2388	fdxonm.exe
4076	nzhtwx.exe
940	aycvfg.exe
3776	kehopr.exe
2380	aydbyf.exe
4808	nlvzej.exe
1580	vmuzlq.exe
4812	kiczxq.exe
4484	xvlodm.exe
3608	cifwww.exe
1088	utspet.exe
1604	fptzmn.exe
1372	vqipnw.exe
4540	fljzur.exe
4188	scecdr.exe
3412	ajzuxo.exe
2912	kfanfj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1564-0-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/files/0x000a00000002346c-115.dat	upx
behavioral2/memory/1564-231-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1764-344-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/5088-469-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/5044-463-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4768-580-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/5088-694-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4044-702-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4064-813-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4044-927-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/964-1046-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/116-1169-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/220-1163-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4640-1312-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1884-1282-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/116-1396-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4640-1512-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1984-1746-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4052-1636-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4588-1632-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4052-1862-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2604-1978-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1560-2088-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1932-2200-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/624-2312-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3036-2424-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3704-2536-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1228-2652-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3440-2761-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2828-2988-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/860-2873-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2792-3103-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2916-3098-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/804-3211-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2792-3323-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3484-3435-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1400-3547-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2272-3662-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4292-3666-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/880-3773-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3876-3779-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4292-3888-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3876-3998-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4372-4110-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4784-4222-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4460-4334-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2816-4449-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4952-4563-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/228-4672-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3124-4784-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1260-4789-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4972-4900-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4364-5017-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/1260-5013-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3792-5128-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4364-5240-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/952-5354-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3652-5357-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3464-5468-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3652-5579-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/2388-5692-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/4076-5806-0x0000000000400000-0x000000000051C000-memory.dmp	upx
behavioral2/memory/3776-5809-0x0000000000400000-0x000000000051C000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\abukst.exe	nokump.exe
File opened for modification	C:\Windows\SysWOW64\xsikwl.exe	Process not Found
File created	C:\Windows\SysWOW64\gdvtdk.exe	tfaqvj.exe
File opened for modification	C:\Windows\SysWOW64\mingay.exe	bmmote.exe
File created	C:\Windows\SysWOW64\uflaaf.exe	etlfes.exe
File opened for modification	C:\Windows\SysWOW64\eljpfe.exe	qcdecn.exe
File created	C:\Windows\SysWOW64\dartva.exe	qyldkn.exe
File created	C:\Windows\SysWOW64\houvcm.exe	rnxnjd.exe
File opened for modification	C:\Windows\SysWOW64\trlytk.exe	dfddpx.exe
File created	C:\Windows\SysWOW64\xlayjr.exe	obkovo.exe
File opened for modification	C:\Windows\SysWOW64\wdkltv.exe	mijbma.exe
File opened for modification	C:\Windows\SysWOW64\skxkyz.exe	awgeny.exe
File opened for modification	C:\Windows\SysWOW64\qsxriv.exe	ducwsn.exe
File created	C:\Windows\SysWOW64\newwxx.exe	Process not Found
File created	C:\Windows\SysWOW64\cjqirt.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kajqgp.exe	xnzaal.exe
File created	C:\Windows\SysWOW64\csqcvr.exe	pcnzmj.exe
File created	C:\Windows\SysWOW64\pomocz.exe	Process not Found
File created	C:\Windows\SysWOW64\oehnjg.exe	bomkay.exe
File created	C:\Windows\SysWOW64\kizcar.exe	xvhmun.exe
File created	C:\Windows\SysWOW64\pctscd.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ozfugw.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\upcywv.exe	Process not Found
File created	C:\Windows\SysWOW64\kehopr.exe	aycvfg.exe
File created	C:\Windows\SysWOW64\kfpoei.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\zolmzm.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\sokzib.exe	ffdwfj.exe
File opened for modification	C:\Windows\SysWOW64\dthkqw.exe	tudmgx.exe
File created	C:\Windows\SysWOW64\petxoc.exe	fjamhh.exe
File opened for modification	C:\Windows\SysWOW64\rsepyh.exe	Process not Found
File created	C:\Windows\SysWOW64\sqxflj.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\mvmnrp.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ctbsli.exe	suxvbj.exe
File opened for modification	C:\Windows\SysWOW64\mugmbv.exe	zzpwwr.exe
File created	C:\Windows\SysWOW64\ylbduy.exe	nqatnw.exe
File opened for modification	C:\Windows\SysWOW64\ltkdpd.exe	elokdn.exe
File created	C:\Windows\SysWOW64\rmnxaj.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ukiyyh.exe	Process not Found
File created	C:\Windows\SysWOW64\lrswns.exe	8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\zdghka.exe	mqwkff.exe
File created	C:\Windows\SysWOW64\xeaitu.exe	hssnph.exe
File created	C:\Windows\SysWOW64\cxduht.exe	Process not Found
File created	C:\Windows\SysWOW64\kbzqbg.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\gxqjse.exe	Process not Found
File created	C:\Windows\SysWOW64\djatrv.exe	qsxriv.exe
File created	C:\Windows\SysWOW64\abomrw.exe	qckpgx.exe
File created	C:\Windows\SysWOW64\sdolil.exe	fqfvch.exe
File opened for modification	C:\Windows\SysWOW64\mxmrdo.exe	zkucxk.exe
File created	C:\Windows\SysWOW64\pswqyx.exe	Process not Found
File created	C:\Windows\SysWOW64\hekmee.exe	uohkww.exe
File created	C:\Windows\SysWOW64\hzhwgn.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jatwpn.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\kiezbo.exe	xjkxsg.exe
File created	C:\Windows\SysWOW64\ypshra.exe	lzxeia.exe
File created	C:\Windows\SysWOW64\qyldkn.exe	dlbnes.exe
File created	C:\Windows\SysWOW64\saxzlc.exe	Process not Found
File created	C:\Windows\SysWOW64\ykkxdo.exe	lxsiys.exe
File opened for modification	C:\Windows\SysWOW64\vqwbyr.exe	lrswns.exe
File created	C:\Windows\SysWOW64\aydbyf.exe	kehopr.exe
File opened for modification	C:\Windows\SysWOW64\efukfa.exe	ottpbu.exe
File opened for modification	C:\Windows\SysWOW64\lzxeia.exe	bdwutf.exe
File created	C:\Windows\SysWOW64\ixgcty.exe	xytejz.exe
File created	C:\Windows\SysWOW64\umttvu.exe	Process not Found
File created	C:\Windows\SysWOW64\iluryn.exe	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gxaqor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtohei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soomwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiwloz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdolil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tqhrmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dgqwcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xvlodm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wymnkt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfxzen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hzntpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eoomhx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vqipnw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bmckrh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viofxg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	erwqqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okbnzu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gqudss.exe

Runs .reg file with regedit 64 IoCs

pid	Process
1728	Process not Found
4736	regedit.exe
1920	regedit.exe
3128	regedit.exe
5432	regedit.exe
4940	Process not Found
640	Process not Found
60	regedit.exe
4416	regedit.exe
5096	regedit.exe
4572	regedit.exe
5368	Process not Found
6468	Process not Found
2416	regedit.exe
2856	regedit.exe
4636	regedit.exe
1492	regedit.exe
4156	regedit.exe
5924	Process not Found
5752	regedit.exe
1156	regedit.exe
6532	Process not Found
2868	regedit.exe
1408	regedit.exe
5328	regedit.exe
3700	Process not Found
3504	Process not Found
4272	regedit.exe
2856	regedit.exe
5236	Process not Found
5884	Process not Found
5740	Process not Found
5576	Process not Found
6760	Process not Found
384	regedit.exe
2128	regedit.exe
6108	regedit.exe
2936	Process not Found
6744	Process not Found
5576	Process not Found
2020	Process not Found
1148	Process not Found
6452	Process not Found
5204	regedit.exe
1492	regedit.exe
2824	regedit.exe
5784	Process not Found
2136	Process not Found
6448	Process not Found
392	regedit.exe
4680	Process not Found
3096	regedit.exe
4028	regedit.exe
2936	regedit.exe
5728	regedit.exe
1920	regedit.exe
5344	regedit.exe
5380	Process not Found
6448	Process not Found
3316	regedit.exe
4536	Process not Found
5060	Process not Found
2240	regedit.exe
5860	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2520	1564	8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe	84
PID 1564 wrote to memory of 2520	1564	8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe	84
PID 1564 wrote to memory of 2520	1564	8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe	84
PID 2520 wrote to memory of 4928	2520	cmd.exe	86
PID 2520 wrote to memory of 4928	2520	cmd.exe	86
PID 2520 wrote to memory of 4928	2520	cmd.exe	86
PID 1564 wrote to memory of 1764	1564	8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe	88
PID 1564 wrote to memory of 1764	1564	8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe	88
PID 1564 wrote to memory of 1764	1564	8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe	88
PID 1764 wrote to memory of 4852	1764	lrswns.exe	89
PID 1764 wrote to memory of 4852	1764	lrswns.exe	89
PID 1764 wrote to memory of 4852	1764	lrswns.exe	89
PID 4852 wrote to memory of 4840	4852	cmd.exe	91
PID 4852 wrote to memory of 4840	4852	cmd.exe	91
PID 4852 wrote to memory of 4840	4852	cmd.exe	91
PID 1764 wrote to memory of 5044	1764	lrswns.exe	92
PID 1764 wrote to memory of 5044	1764	lrswns.exe	92
PID 1764 wrote to memory of 5044	1764	lrswns.exe	92
PID 5044 wrote to memory of 464	5044	vqwbyr.exe	93
PID 5044 wrote to memory of 464	5044	vqwbyr.exe	93
PID 5044 wrote to memory of 464	5044	vqwbyr.exe	93
PID 464 wrote to memory of 3848	464	cmd.exe	94
PID 464 wrote to memory of 3848	464	cmd.exe	94
PID 464 wrote to memory of 3848	464	cmd.exe	94
PID 5044 wrote to memory of 4768	5044	vqwbyr.exe	95
PID 5044 wrote to memory of 4768	5044	vqwbyr.exe	95
PID 5044 wrote to memory of 4768	5044	vqwbyr.exe	95
PID 4768 wrote to memory of 3652	4768	izdebq.exe	233
PID 4768 wrote to memory of 3652	4768	izdebq.exe	233
PID 4768 wrote to memory of 3652	4768	izdebq.exe	233
PID 3652 wrote to memory of 3036	3652	cmd.exe	147
PID 3652 wrote to memory of 3036	3652	cmd.exe	147
PID 3652 wrote to memory of 3036	3652	cmd.exe	147
PID 4768 wrote to memory of 5088	4768	izdebq.exe	98
PID 4768 wrote to memory of 5088	4768	izdebq.exe	98
PID 4768 wrote to memory of 5088	4768	izdebq.exe	98
PID 5088 wrote to memory of 2180	5088	vqfgjy.exe	99
PID 5088 wrote to memory of 2180	5088	vqfgjy.exe	99
PID 5088 wrote to memory of 2180	5088	vqfgjy.exe	99
PID 2180 wrote to memory of 3820	2180	cmd.exe	100
PID 2180 wrote to memory of 3820	2180	cmd.exe	100
PID 2180 wrote to memory of 3820	2180	cmd.exe	100
PID 5088 wrote to memory of 4064	5088	vqfgjy.exe	101
PID 5088 wrote to memory of 4064	5088	vqfgjy.exe	101
PID 5088 wrote to memory of 4064	5088	vqfgjy.exe	101
PID 4064 wrote to memory of 2156	4064	idpwpu.exe	102
PID 4064 wrote to memory of 2156	4064	idpwpu.exe	102
PID 4064 wrote to memory of 2156	4064	idpwpu.exe	102
PID 2156 wrote to memory of 2416	2156	cmd.exe	103
PID 2156 wrote to memory of 2416	2156	cmd.exe	103
PID 2156 wrote to memory of 2416	2156	cmd.exe	103
PID 4064 wrote to memory of 4044	4064	idpwpu.exe	104
PID 4064 wrote to memory of 4044	4064	idpwpu.exe	104
PID 4064 wrote to memory of 4044	4064	idpwpu.exe	104
PID 4044 wrote to memory of 1192	4044	skbuzt.exe	105
PID 4044 wrote to memory of 1192	4044	skbuzt.exe	105
PID 4044 wrote to memory of 1192	4044	skbuzt.exe	105
PID 1192 wrote to memory of 4920	1192	cmd.exe	106
PID 1192 wrote to memory of 4920	1192	cmd.exe	106
PID 1192 wrote to memory of 4920	1192	cmd.exe	106
PID 4044 wrote to memory of 964	4044	skbuzt.exe	107
PID 4044 wrote to memory of 964	4044	skbuzt.exe	107
PID 4044 wrote to memory of 964	4044	skbuzt.exe	107
PID 964 wrote to memory of 3956	964	fbwwqb.exe	108

C:\Users\Admin\AppData\Local\Temp\8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    PID:4928
- C:\Windows\SysWOW64\lrswns.exe
  C:\Windows\system32\lrswns.exe 1204 "C:\Users\Admin\AppData\Local\Temp\8ec30d64f460f0d80729fe2cbc74160d_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      PID:4840
- - C:\Windows\SysWOW64\vqwbyr.exe
    C:\Windows\system32\vqwbyr.exe 1168 "C:\Windows\SysWOW64\lrswns.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        
        PID:3848
  - - C:\Windows\SysWOW64\izdebq.exe
      C:\Windows\system32\izdebq.exe 1172 "C:\Windows\SysWOW64\vqwbyr.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\vqfgjy.exe
        
        C:\Windows\system32\vqfgjy.exe 1176 "C:\Windows\SysWOW64\izdebq.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        
        PID:3820
      - C:\Windows\SysWOW64\idpwpu.exe
        
        C:\Windows\system32\idpwpu.exe 1180 "C:\Windows\SysWOW64\vqfgjy.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2416
        
        C:\Windows\SysWOW64\skbuzt.exe
        
        C:\Windows\system32\skbuzt.exe 1164 "C:\Windows\SysWOW64\idpwpu.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\fbwwqb.exe
        
        C:\Windows\system32\fbwwqb.exe 1184 "C:\Windows\SysWOW64\skbuzt.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        9⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\soomwf.exe
        
        C:\Windows\system32\soomwf.exe 1192 "C:\Windows\SysWOW64\fbwwqb.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        10⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\gbxkcb.exe
        
        C:\Windows\system32\gbxkcb.exe 1196 "C:\Windows\SysWOW64\soomwf.exe"
        10⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        11⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\qlmmpe.exe
        
        C:\Windows\system32\qlmmpe.exe 1200 "C:\Windows\SysWOW64\gbxkcb.exe"
        11⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        12⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\dyekvi.exe
        
        C:\Windows\system32\dyekvi.exe 1188 "C:\Windows\SysWOW64\qlmmpe.exe"
        12⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        13⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\kcopmt.exe
        
        C:\Windows\system32\kcopmt.exe 1208 "C:\Windows\SysWOW64\dyekvi.exe"
        13⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        14⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        15⤵
        Runs .reg file with regedit
        
        PID:4736
        
        C:\Windows\SysWOW64\xpyfsx.exe
        
        C:\Windows\system32\xpyfsx.exe 1212 "C:\Windows\SysWOW64\kcopmt.exe"
        14⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        15⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        16⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\lcpcyb.exe
        
        C:\Windows\system32\lcpcyb.exe 1220 "C:\Windows\SysWOW64\xpyfsx.exe"
        15⤵
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        16⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        17⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\yphsde.exe
        
        C:\Windows\system32\yphsde.exe 1216 "C:\Windows\SysWOW64\lcpcyb.exe"
        16⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        17⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        18⤵
        
        PID:864
        
        C:\Windows\SysWOW64\iawcrh.exe
        
        C:\Windows\system32\iawcrh.exe 1228 "C:\Windows\SysWOW64\yphsde.exe"
        17⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        18⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        19⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\vjdfuz.exe
        
        C:\Windows\system32\vjdfuz.exe 1232 "C:\Windows\SysWOW64\iawcrh.exe"
        18⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        19⤵
        
        PID:852
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        20⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\iaxich.exe
        
        C:\Windows\system32\iaxich.exe 1224 "C:\Windows\SysWOW64\vjdfuz.exe"
        19⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        20⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        21⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\vnpyil.exe
        
        C:\Windows\system32\vnpyil.exe 1236 "C:\Windows\SysWOW64\iaxich.exe"
        20⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        21⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        22⤵
        Runs .reg file with regedit
        
        PID:1920
        
        C:\Windows\SysWOW64\fyeido.exe
        
        C:\Windows\system32\fyeido.exe 1240 "C:\Windows\SysWOW64\vnpyil.exe"
        21⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        22⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        23⤵
        Runs .reg file with regedit
        
        PID:384
        
        C:\Windows\SysWOW64\sloyjk.exe
        
        C:\Windows\system32\sloyjk.exe 1248 "C:\Windows\SysWOW64\fyeido.exe"
        22⤵
        Executes dropped EXE
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        23⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\fyfvpo.exe
        
        C:\Windows\system32\fyfvpo.exe 1252 "C:\Windows\SysWOW64\sloyjk.exe"
        23⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        24⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        25⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\tlxlvs.exe
        
        C:\Windows\system32\tlxlvs.exe 1244 "C:\Windows\SysWOW64\fyfvpo.exe"
        24⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        25⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        26⤵
        
        PID:760
        
        C:\Windows\SysWOW64\dgqwcm.exe
        
        C:\Windows\system32\dgqwcm.exe 1260 "C:\Windows\SysWOW64\tlxlvs.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        26⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        27⤵
        Modifies security service
        
        PID:2428
        
        C:\Windows\SysWOW64\qiwloz.exe
        
        C:\Windows\system32\qiwloz.exe 1256 "C:\Windows\SysWOW64\dgqwcm.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        27⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        28⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\dvnbbu.exe
        
        C:\Windows\system32\dvnbbu.exe 1268 "C:\Windows\SysWOW64\qiwloz.exe"
        27⤵
        Executes dropped EXE
        
        PID:804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        28⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        29⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\qixrhy.exe
        
        C:\Windows\system32\qixrhy.exe 1264 "C:\Windows\SysWOW64\dvnbbu.exe"
        28⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        29⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        30⤵
        
        PID:884
        
        C:\Windows\SysWOW64\atubub.exe
        
        C:\Windows\system32\atubub.exe 1276 "C:\Windows\SysWOW64\qixrhy.exe"
        29⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        30⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        31⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\ncbmxb.exe
        
        C:\Windows\system32\ncbmxb.exe 1280 "C:\Windows\SysWOW64\atubub.exe"
        30⤵
        Executes dropped EXE
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        31⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        32⤵
        
        PID:376
        
        C:\Windows\SysWOW64\atvggb.exe
        
        C:\Windows\system32\atvggb.exe 1272 "C:\Windows\SysWOW64\ncbmxb.exe"
        31⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        32⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\ngfemf.exe
        
        C:\Windows\system32\ngfemf.exe 1284 "C:\Windows\SysWOW64\atvggb.exe"
        32⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        33⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        34⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\pqcphi.exe
        
        C:\Windows\system32\pqcphi.exe 1288 "C:\Windows\SysWOW64\ngfemf.exe"
        33⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        34⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        35⤵
        
        PID:524
        
        C:\Windows\SysWOW64\dajrki.exe
        
        C:\Windows\system32\dajrki.exe 1292 "C:\Windows\SysWOW64\pqcphi.exe"
        34⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        35⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        36⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\qqdutq.exe
        
        C:\Windows\system32\qqdutq.exe 1296 "C:\Windows\SysWOW64\dajrki.exe"
        35⤵
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        36⤵
        
        PID:264
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        37⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\ddnkym.exe
        
        C:\Windows\system32\ddnkym.exe 1300 "C:\Windows\SysWOW64\qqdutq.exe"
        36⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        37⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        38⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\nokump.exe
        
        C:\Windows\system32\nokump.exe 1308 "C:\Windows\SysWOW64\ddnkym.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        38⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        39⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\abukst.exe
        
        C:\Windows\system32\abukst.exe 1312 "C:\Windows\SysWOW64\nokump.exe"
        38⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        39⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        40⤵
        
        PID:460
        
        C:\Windows\SysWOW64\nolzxw.exe
        
        C:\Windows\system32\nolzxw.exe 1304 "C:\Windows\SysWOW64\abukst.exe"
        39⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        40⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        41⤵
        Modifies security service
        
        PID:2112
        
        C:\Windows\SysWOW64\xnqxqv.exe
        
        C:\Windows\system32\xnqxqv.exe 1316 "C:\Windows\SysWOW64\nolzxw.exe"
        40⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        41⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\kwwitv.exe
        
        C:\Windows\system32\kwwitv.exe 1320 "C:\Windows\SysWOW64\xnqxqv.exe"
        41⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        42⤵
        
        PID:940
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        43⤵
        
        PID:408
        
        C:\Windows\SysWOW64\uhlsgq.exe
        
        C:\Windows\system32\uhlsgq.exe 1328 "C:\Windows\SysWOW64\kwwitv.exe"
        42⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        43⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        44⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\iudimu.exe
        
        C:\Windows\system32\iudimu.exe 1332 "C:\Windows\SysWOW64\uhlsgq.exe"
        43⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        44⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        45⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\vhmxsx.exe
        
        C:\Windows\system32\vhmxsx.exe 1336 "C:\Windows\SysWOW64\iudimu.exe"
        44⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        45⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        46⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\fdnqzs.exe
        
        C:\Windows\system32\fdnqzs.exe 1340 "C:\Windows\SysWOW64\vhmxsx.exe"
        45⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        46⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        47⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\vtzqgb.exe
        
        C:\Windows\system32\vtzqgb.exe 1324 "C:\Windows\SysWOW64\fdnqzs.exe"
        46⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        47⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        48⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cauqaz.exe
        
        C:\Windows\system32\cauqaz.exe 1344 "C:\Windows\SysWOW64\vtzqgb.exe"
        47⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        48⤵
        
        PID:976
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        49⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\pnmggv.exe
        
        C:\Windows\system32\pnmggv.exe 1352 "C:\Windows\SysWOW64\cauqaz.exe"
        48⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        49⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        50⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\fdxonm.exe
        
        C:\Windows\system32\fdxonm.exe 1348 "C:\Windows\SysWOW64\pnmggv.exe"
        49⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        50⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        51⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\nzhtwx.exe
        
        C:\Windows\system32\nzhtwx.exe 1360 "C:\Windows\SysWOW64\fdxonm.exe"
        50⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        51⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        52⤵
        
        PID:464
        
        C:\Windows\SysWOW64\aycvfg.exe
        
        C:\Windows\system32\aycvfg.exe 1364 "C:\Windows\SysWOW64\nzhtwx.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        52⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        53⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\kehopr.exe
        
        C:\Windows\system32\kehopr.exe 1356 "C:\Windows\SysWOW64\aycvfg.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        53⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        54⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\aydbyf.exe
        
        C:\Windows\system32\aydbyf.exe 1372 "C:\Windows\SysWOW64\kehopr.exe"
        53⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        54⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        55⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\nlvzej.exe
        
        C:\Windows\system32\nlvzej.exe 1376 "C:\Windows\SysWOW64\aydbyf.exe"
        54⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        55⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        56⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\vmuzlq.exe
        
        C:\Windows\system32\vmuzlq.exe 1380 "C:\Windows\SysWOW64\nlvzej.exe"
        55⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        56⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        57⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\kiczxq.exe
        
        C:\Windows\system32\kiczxq.exe 1384 "C:\Windows\SysWOW64\vmuzlq.exe"
        56⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        57⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        58⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\xvlodm.exe
        
        C:\Windows\system32\xvlodm.exe 1388 "C:\Windows\SysWOW64\kiczxq.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        58⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        59⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cifwww.exe
        
        C:\Windows\system32\cifwww.exe 1392 "C:\Windows\SysWOW64\xvlodm.exe"
        58⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        59⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        60⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\utspet.exe
        
        C:\Windows\system32\utspet.exe 1396 "C:\Windows\SysWOW64\cifwww.exe"
        59⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        60⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        61⤵
        Modifies security service
        
        PID:976
        
        C:\Windows\SysWOW64\fptzmn.exe
        
        C:\Windows\system32\fptzmn.exe 1368 "C:\Windows\SysWOW64\utspet.exe"
        60⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        61⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        62⤵
        Modifies security service
        
        PID:2160
        
        C:\Windows\SysWOW64\vqipnw.exe
        
        C:\Windows\system32\vqipnw.exe 1400 "C:\Windows\SysWOW64\fptzmn.exe"
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        62⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        63⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\fljzur.exe
        
        C:\Windows\system32\fljzur.exe 1408 "C:\Windows\SysWOW64\vqipnw.exe"
        62⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        63⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        64⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\scecdr.exe
        
        C:\Windows\system32\scecdr.exe 1404 "C:\Windows\SysWOW64\fljzur.exe"
        63⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        64⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        65⤵
        Modifies security service
        
        PID:3456
        
        C:\Windows\SysWOW64\ajzuxo.exe
        
        C:\Windows\system32\ajzuxo.exe 1416 "C:\Windows\SysWOW64\scecdr.exe"
        64⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        65⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        66⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\kfanfj.exe
        
        C:\Windows\system32\kfanfj.exe 1412 "C:\Windows\SysWOW64\ajzuxo.exe"
        65⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        66⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        67⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\xskclf.exe
        
        C:\Windows\system32\xskclf.exe 1424 "C:\Windows\SysWOW64\kfanfj.exe"
        66⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        67⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        68⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\kqmftn.exe
        
        C:\Windows\system32\kqmftn.exe 1420 "C:\Windows\SysWOW64\xskclf.exe"
        67⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        68⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        69⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\xaliwm.exe
        
        C:\Windows\system32\xaliwm.exe 1432 "C:\Windows\SysWOW64\kqmftn.exe"
        68⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        69⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        70⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\izxfhl.exe
        
        C:\Windows\system32\izxfhl.exe 1436 "C:\Windows\SysWOW64\xaliwm.exe"
        69⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        70⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        71⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\ubdvap.exe
        
        C:\Windows\system32\ubdvap.exe 1428 "C:\Windows\SysWOW64\izxfhl.exe"
        70⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        71⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        72⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\houlgt.exe
        
        C:\Windows\system32\houlgt.exe 1440 "C:\Windows\SysWOW64\ubdvap.exe"
        71⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\uepnoc.exe
        
        C:\Windows\system32\uepnoc.exe 1448 "C:\Windows\SysWOW64\houlgt.exe"
        72⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        73⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        74⤵
        
        PID:536
        
        C:\Windows\SysWOW64\iowyrb.exe
        
        C:\Windows\system32\iowyrb.exe 1452 "C:\Windows\SysWOW64\uepnoc.exe"
        73⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        74⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        75⤵
        
        PID:720
        
        C:\Windows\SysWOW64\snavca.exe
        
        C:\Windows\system32\snavca.exe 1456 "C:\Windows\SysWOW64\iowyrb.exe"
        74⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        75⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        76⤵
        
        PID:992
        
        C:\Windows\SysWOW64\iziqgf.exe
        
        C:\Windows\system32\iziqgf.exe 1460 "C:\Windows\SysWOW64\snavca.exe"
        75⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        76⤵
        
        PID:856
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        77⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\svbbna.exe
        
        C:\Windows\system32\svbbna.exe 1464 "C:\Windows\SysWOW64\iziqgf.exe"
        76⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        77⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        78⤵
        Runs .reg file with regedit
        
        PID:2856
        
        C:\Windows\SysWOW64\fphqzm.exe
        
        C:\Windows\system32\fphqzm.exe 1468 "C:\Windows\SysWOW64\svbbna.exe"
        77⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        78⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        79⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\ihwomc.exe
        
        C:\Windows\system32\ihwomc.exe 1444 "C:\Windows\SysWOW64\fphqzm.exe"
        78⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        79⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        80⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\ugzruk.exe
        
        C:\Windows\system32\ugzruk.exe 1476 "C:\Windows\SysWOW64\ihwomc.exe"
        79⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        80⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        81⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\ffdwfj.exe
        
        C:\Windows\system32\ffdwfj.exe 1480 "C:\Windows\SysWOW64\ugzruk.exe"
        80⤵
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        81⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        82⤵
        
        PID:460
        
        C:\Windows\SysWOW64\sokzib.exe
        
        C:\Windows\system32\sokzib.exe 1472 "C:\Windows\SysWOW64\ffdwfj.exe"
        81⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\higmrw.exe
        
        C:\Windows\system32\higmrw.exe 1488 "C:\Windows\SysWOW64\sokzib.exe"
        82⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        83⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        84⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\vvyjxs.exe
        
        C:\Windows\system32\vvyjxs.exe 1484 "C:\Windows\SysWOW64\higmrw.exe"
        83⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        84⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        85⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\awgeny.exe
        
        C:\Windows\system32\awgeny.exe 1492 "C:\Windows\SysWOW64\vvyjxs.exe"
        84⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        86⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\skxkyz.exe
        
        C:\Windows\system32\skxkyz.exe 1500 "C:\Windows\SysWOW64\awgeny.exe"
        85⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        86⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        87⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\fjamhh.exe
        
        C:\Windows\system32\fjamhh.exe 1504 "C:\Windows\SysWOW64\skxkyz.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        87⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        88⤵
        Modifies security service
        
        PID:4680
        
        C:\Windows\SysWOW64\petxoc.exe
        
        C:\Windows\system32\petxoc.exe 1496 "C:\Windows\SysWOW64\fjamhh.exe"
        87⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        88⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cvvzxk.exe
        
        C:\Windows\system32\cvvzxk.exe 1508 "C:\Windows\SysWOW64\petxoc.exe"
        88⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        89⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        90⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\mqwkff.exe
        
        C:\Windows\system32\mqwkff.exe 1512 "C:\Windows\SysWOW64\cvvzxk.exe"
        89⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        90⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        91⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\zdghka.exe
        
        C:\Windows\system32\zdghka.exe 1520 "C:\Windows\SysWOW64\mqwkff.exe"
        90⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        91⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        92⤵
        
        PID:628
        
        C:\Windows\SysWOW64\hefazp.exe
        
        C:\Windows\system32\hefazp.exe 1516 "C:\Windows\SysWOW64\zdghka.exe"
        91⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        92⤵
        
        PID:544
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        93⤵
        
        PID:552
        
        C:\Windows\SysWOW64\zsdfkr.exe
        
        C:\Windows\system32\zsdfkr.exe 1524 "C:\Windows\SysWOW64\hefazp.exe"
        92⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        93⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        94⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\kowxrl.exe
        
        C:\Windows\system32\kowxrl.exe 1532 "C:\Windows\SysWOW64\zsdfkr.exe"
        93⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        94⤵
        
        PID:756
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        95⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\xnzaal.exe
        
        C:\Windows\system32\xnzaal.exe 1536 "C:\Windows\SysWOW64\kowxrl.exe"
        94⤵
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        95⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        96⤵
        Runs .reg file with regedit
        
        PID:60
        
        C:\Windows\SysWOW64\kajqgp.exe
        
        C:\Windows\system32\kajqgp.exe 1540 "C:\Windows\SysWOW64\xnzaal.exe"
        95⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        96⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        97⤵
        
        PID:864
        
        C:\Windows\SysWOW64\aerlkc.exe
        
        C:\Windows\system32\aerlkc.exe 1544 "C:\Windows\SysWOW64\kajqgp.exe"
        96⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        97⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        98⤵
        Modifies security service
        
        PID:3516
        
        C:\Windows\SysWOW64\hmedes.exe
        
        C:\Windows\system32\hmedes.exe 1548 "C:\Windows\SysWOW64\aerlkc.exe"
        97⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        98⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        99⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2868
        
        C:\Windows\SysWOW64\xynyax.exe
        
        C:\Windows\system32\xynyax.exe 1528 "C:\Windows\SysWOW64\hmedes.exe"
        98⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        99⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        100⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\klengb.exe
        
        C:\Windows\system32\klengb.exe 1556 "C:\Windows\SysWOW64\xynyax.exe"
        99⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        100⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        101⤵
        
        PID:712
        
        C:\Windows\SysWOW64\uotybe.exe
        
        C:\Windows\system32\uotybe.exe 1560 "C:\Windows\SysWOW64\klengb.exe"
        100⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        101⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        102⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\hbdohi.exe
        
        C:\Windows\system32\hbdohi.exe 1564 "C:\Windows\SysWOW64\uotybe.exe"
        101⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        102⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        103⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\uwvlme.exe
        
        C:\Windows\system32\uwvlme.exe 1568 "C:\Windows\SysWOW64\hbdohi.exe"
        102⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        103⤵
        
        PID:376
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        104⤵
        Runs .reg file with regedit
        
        PID:4272
        
        C:\Windows\SysWOW64\hmpovm.exe
        
        C:\Windows\system32\hmpovm.exe 1572 "C:\Windows\SysWOW64\uwvlme.exe"
        103⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        104⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        105⤵
        Runs .reg file with regedit
        
        PID:2856
        
        C:\Windows\SysWOW64\uzhebq.exe
        
        C:\Windows\system32\uzhebq.exe 1576 "C:\Windows\SysWOW64\hmpovm.exe"
        104⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        105⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        106⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\fylblo.exe
        
        C:\Windows\system32\fylblo.exe 1580 "C:\Windows\SysWOW64\uzhebq.exe"
        105⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        106⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        107⤵
        Runs .reg file with regedit
        
        PID:3096
        
        C:\Windows\SysWOW64\pfxzen.exe
        
        C:\Windows\system32\pfxzen.exe 1552 "C:\Windows\SysWOW64\fylblo.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        107⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        108⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cpdbhn.exe
        
        C:\Windows\system32\cpdbhn.exe 1584 "C:\Windows\SysWOW64\pfxzen.exe"
        107⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        108⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\pcnzmj.exe
        
        C:\Windows\system32\pcnzmj.exe 1588 "C:\Windows\SysWOW64\cpdbhn.exe"
        108⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        109⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        110⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\csqcvr.exe
        
        C:\Windows\system32\csqcvr.exe 1596 "C:\Windows\SysWOW64\pcnzmj.exe"
        109⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        110⤵
        
        PID:60
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\mdfmiu.exe
        
        C:\Windows\system32\mdfmiu.exe 1600 "C:\Windows\SysWOW64\csqcvr.exe"
        110⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        111⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        112⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\xjkxsg.exe
        
        C:\Windows\system32\xjkxsg.exe 1608 "C:\Windows\SysWOW64\mdfmiu.exe"
        111⤵
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        112⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        113⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\kiezbo.exe
        
        C:\Windows\system32\kiezbo.exe 1604 "C:\Windows\SysWOW64\xjkxsg.exe"
        112⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        113⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        114⤵
        Modifies security service
        
        PID:4368
        
        C:\Windows\SysWOW64\xyhcjo.exe
        
        C:\Windows\system32\xyhcjo.exe 1612 "C:\Windows\SysWOW64\kiezbo.exe"
        113⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        114⤵
        
        PID:864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        115⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\hylzun.exe
        
        C:\Windows\system32\hylzun.exe 1592 "C:\Windows\SysWOW64\xyhcjo.exe"
        114⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        115⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        116⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\uldxar.exe
        
        C:\Windows\system32\uldxar.exe 1620 "C:\Windows\SysWOW64\hylzun.exe"
        115⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        116⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        117⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\eshusp.exe
        
        C:\Windows\system32\eshusp.exe 1624 "C:\Windows\SysWOW64\uldxar.exe"
        116⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        117⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        118⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\uwppod.exe
        
        C:\Windows\system32\uwppod.exe 1616 "C:\Windows\SysWOW64\eshusp.exe"
        117⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        118⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        119⤵
        
        PID:864
        
        C:\Windows\SysWOW64\hjzfuz.exe
        
        C:\Windows\system32\hjzfuz.exe 1628 "C:\Windows\SysWOW64\uwppod.exe"
        118⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        119⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        120⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\ruoqpc.exe
        
        C:\Windows\system32\ruoqpc.exe 1636 "C:\Windows\SysWOW64\hjzfuz.exe"
        119⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        120⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        121⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\ceenus.exe
        
        C:\Windows\system32\ceenus.exe 1640 "C:\Windows\SysWOW64\ruoqpc.exe"
        120⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        121⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        122⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\suxvbj.exe
        
        C:\Windows\system32\suxvbj.exe 1632 "C:\Windows\SysWOW64\ceenus.exe"
        121⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        122⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        123⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\ctbsli.exe
        
        C:\Windows\system32\ctbsli.exe 1648 "C:\Windows\SysWOW64\suxvbj.exe"
        122⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        123⤵
        
        PID:376
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        124⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\prwvui.exe
        
        C:\Windows\system32\prwvui.exe 1652 "C:\Windows\SysWOW64\ctbsli.exe"
        123⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        124⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        125⤵
        
        PID:552
        
        C:\Windows\SysWOW64\rnxnjd.exe
        
        C:\Windows\system32\rnxnjd.exe 1644 "C:\Windows\SysWOW64\prwvui.exe"
        124⤵
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        125⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        126⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\houvcm.exe
        
        C:\Windows\system32\houvcm.exe 1660 "C:\Windows\SysWOW64\rnxnjd.exe"
        125⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        126⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        127⤵
        
        PID:460
        
        C:\Windows\SysWOW64\rnytvk.exe
        
        C:\Windows\system32\rnytvk.exe 1664 "C:\Windows\SysWOW64\houvcm.exe"
        126⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        127⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        128⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\faqjbo.exe
        
        C:\Windows\system32\faqjbo.exe 1668 "C:\Windows\SysWOW64\rnytvk.exe"
        127⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        128⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        129⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\rqkljo.exe
        
        C:\Windows\system32\rqkljo.exe 1672 "C:\Windows\SysWOW64\faqjbo.exe"
        128⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        129⤵
        
        PID:852
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        130⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\epnosx.exe
        
        C:\Windows\system32\epnosx.exe 1676 "C:\Windows\SysWOW64\rqkljo.exe"
        129⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        130⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\rcxeya.exe
        
        C:\Windows\system32\rcxeya.exe 1680 "C:\Windows\SysWOW64\epnosx.exe"
        130⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        131⤵
        
        PID:864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        132⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\bmmote.exe
        
        C:\Windows\system32\bmmote.exe 1684 "C:\Windows\SysWOW64\rcxeya.exe"
        131⤵
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        132⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        133⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\mingay.exe
        
        C:\Windows\system32\mingay.exe 1656 "C:\Windows\SysWOW64\bmmote.exe"
        132⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        133⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        134⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cjkocz.exe
        
        C:\Windows\system32\cjkocz.exe 1688 "C:\Windows\SysWOW64\mingay.exe"
        133⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        134⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        135⤵
        Modifies security service
        
        PID:1644
        
        C:\Windows\SysWOW64\mfdzjt.exe
        
        C:\Windows\system32\mfdzjt.exe 1696 "C:\Windows\SysWOW64\cjkocz.exe"
        134⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        135⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        136⤵
        Runs .reg file with regedit
        
        PID:2128
        
        C:\Windows\SysWOW64\zkucxk.exe
        
        C:\Windows\system32\zkucxk.exe 1692 "C:\Windows\SysWOW64\mfdzjt.exe"
        135⤵
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        136⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        137⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\mxmrdo.exe
        
        C:\Windows\system32\mxmrdo.exe 1704 "C:\Windows\SysWOW64\zkucxk.exe"
        136⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        137⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        138⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3316
        
        C:\Windows\SysWOW64\zkvhjk.exe
        
        C:\Windows\system32\zkvhjk.exe 1700 "C:\Windows\SysWOW64\mxmrdo.exe"
        137⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        138⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        139⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\jjhebj.exe
        
        C:\Windows\system32\jjhebj.exe 1712 "C:\Windows\SysWOW64\zkvhjk.exe"
        138⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        139⤵
        
        PID:460
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        140⤵
        Runs .reg file with regedit
        
        PID:3128
        
        C:\Windows\SysWOW64\xtohei.exe
        
        C:\Windows\system32\xtohei.exe 1716 "C:\Windows\SysWOW64\jjhebj.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        140⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        141⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\hssnph.exe
        
        C:\Windows\system32\hssnph.exe 1720 "C:\Windows\SysWOW64\xtohei.exe"
        140⤵
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        141⤵
        
        PID:60
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        142⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\xeaitu.exe
        
        C:\Windows\system32\xeaitu.exe 1708 "C:\Windows\SysWOW64\hssnph.exe"
        141⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        142⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        143⤵
        
        PID:756
        
        C:\Windows\SysWOW64\hdefdt.exe
        
        C:\Windows\system32\hdefdt.exe 1728 "C:\Windows\SysWOW64\xeaitu.exe"
        142⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        143⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        144⤵
        
        PID:720
        
        C:\Windows\SysWOW64\uqwvjp.exe
        
        C:\Windows\system32\uqwvjp.exe 1732 "C:\Windows\SysWOW64\hdefdt.exe"
        143⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        144⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        145⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\etlfes.exe
        
        C:\Windows\system32\etlfes.exe 1736 "C:\Windows\SysWOW64\uqwvjp.exe"
        144⤵
        Drops file in System32 directory
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        145⤵
        
        PID:448
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        146⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\uflaaf.exe
        
        C:\Windows\system32\uflaaf.exe 1740 "C:\Windows\SysWOW64\etlfes.exe"
        145⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        146⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        147⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\fxbxnv.exe
        
        C:\Windows\system32\fxbxnv.exe 1744 "C:\Windows\SysWOW64\uflaaf.exe"
        146⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        147⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        148⤵
        
        PID:544
        
        C:\Windows\SysWOW64\oayiay.exe
        
        C:\Windows\system32\oayiay.exe 1748 "C:\Windows\SysWOW64\fxbxnv.exe"
        147⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        148⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        149⤵
        Modifies security service
        
        PID:1144
        
        C:\Windows\SysWOW64\bqtljz.exe
        
        C:\Windows\system32\bqtljz.exe 1752 "C:\Windows\SysWOW64\oayiay.exe"
        148⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        149⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        150⤵
        Modifies security service
        
        PID:2248
        
        C:\Windows\SysWOW64\rzqtkh.exe
        
        C:\Windows\system32\rzqtkh.exe 1724 "C:\Windows\SysWOW64\bqtljz.exe"
        149⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        150⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        151⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cvjlsc.exe
        
        C:\Windows\system32\cvjlsc.exe 1756 "C:\Windows\SysWOW64\rzqtkh.exe"
        150⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        151⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        152⤵
        Modifies security service
        
        PID:1412
        
        C:\Windows\SysWOW64\osaggl.exe
        
        C:\Windows\system32\osaggl.exe 1764 "C:\Windows\SysWOW64\cvjlsc.exe"
        151⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        152⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        153⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\zobywf.exe
        
        C:\Windows\system32\zobywf.exe 1760 "C:\Windows\SysWOW64\osaggl.exe"
        152⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        153⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        154⤵
        Runs .reg file with regedit
        
        PID:4028
        
        C:\Windows\SysWOW64\pabtss.exe
        
        C:\Windows\system32\pabtss.exe 1768 "C:\Windows\SysWOW64\zobywf.exe"
        153⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        154⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        155⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\zzoqkr.exe
        
        C:\Windows\system32\zzoqkr.exe 1776 "C:\Windows\SysWOW64\pabtss.exe"
        154⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        155⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        156⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\mmxgqv.exe
        
        C:\Windows\system32\mmxgqv.exe 1780 "C:\Windows\SysWOW64\zzoqkr.exe"
        155⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        156⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        157⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\zzpwwr.exe
        
        C:\Windows\system32\zzpwwr.exe 1772 "C:\Windows\SysWOW64\mmxgqv.exe"
        156⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        157⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        158⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\mugmbv.exe
        
        C:\Windows\system32\mugmbv.exe 1788 "C:\Windows\SysWOW64\zzpwwr.exe"
        157⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        158⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        159⤵
        Runs .reg file with regedit
        
        PID:2240
        
        C:\Windows\SysWOW64\wukrmu.exe
        
        C:\Windows\system32\wukrmu.exe 1792 "C:\Windows\SysWOW64\mugmbv.exe"
        158⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        159⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        160⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\htooes.exe
        
        C:\Windows\system32\htooes.exe 1784 "C:\Windows\SysWOW64\wukrmu.exe"
        159⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        160⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        161⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\tjrrnb.exe
        
        C:\Windows\system32\tjrrnb.exe 1800 "C:\Windows\SysWOW64\htooes.exe"
        160⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        161⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        162⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\ksozob.exe
        
        C:\Windows\system32\ksozob.exe 1796 "C:\Windows\SysWOW64\tjrrnb.exe"
        161⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        162⤵
        
        PID:856
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\uohkww.exe
        
        C:\Windows\system32\uohkww.exe 1804 "C:\Windows\SysWOW64\ksozob.exe"
        162⤵
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        163⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        164⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\hekmee.exe
        
        C:\Windows\system32\hekmee.exe 1812 "C:\Windows\SysWOW64\uohkww.exe"
        163⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        164⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        165⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\rhzxrh.exe
        
        C:\Windows\system32\rhzxrh.exe 1816 "C:\Windows\SysWOW64\hekmee.exe"
        164⤵
        
        PID:460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        165⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        166⤵
        Modifies security service
        
        PID:1156
        
        C:\Windows\SysWOW64\eqgzuh.exe
        
        C:\Windows\system32\eqgzuh.exe 1820 "C:\Windows\SysWOW64\rhzxrh.exe"
        165⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        166⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        167⤵
        Runs .reg file with regedit
        
        PID:4416
        
        C:\Windows\SysWOW64\rpaclh.exe
        
        C:\Windows\system32\rpaclh.exe 1808 "C:\Windows\SysWOW64\eqgzuh.exe"
        166⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        167⤵
        
        PID:392
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        168⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\efvfup.exe
        
        C:\Windows\system32\efvfup.exe 1828 "C:\Windows\SysWOW64\rpaclh.exe"
        167⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        168⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        169⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\oehceo.exe
        
        C:\Windows\system32\oehceo.exe 1832 "C:\Windows\SysWOW64\efvfup.exe"
        168⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        169⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        170⤵
        Runs .reg file with regedit
        
        PID:1408
        
        C:\Windows\SysWOW64\coonhn.exe
        
        C:\Windows\system32\coonhn.exe 1836 "C:\Windows\SysWOW64\oehceo.exe"
        169⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        170⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        171⤵
        Runs .reg file with regedit
        
        PID:2936
        
        C:\Windows\SysWOW64\gqudss.exe
        
        C:\Windows\system32\gqudss.exe 1840 "C:\Windows\SysWOW64\coonhn.exe"
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        171⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        172⤵
        Modifies security service
        
        PID:3524
        
        C:\Windows\SysWOW64\rlnnau.exe
        
        C:\Windows\system32\rlnnau.exe 1844 "C:\Windows\SysWOW64\gqudss.exe"
        171⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        172⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        173⤵
        Runs .reg file with regedit
        
        PID:4636
        
        C:\Windows\SysWOW64\ecpqru.exe
        
        C:\Windows\system32\ecpqru.exe 1824 "C:\Windows\SysWOW64\rlnnau.exe"
        172⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        173⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        174⤵
        Modifies security service
        
        PID:1596
        
        C:\Windows\SysWOW64\oyiayp.exe
        
        C:\Windows\system32\oyiayp.exe 1848 "C:\Windows\SysWOW64\ecpqru.exe"
        173⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        174⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        175⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\eyfqzy.exe
        
        C:\Windows\system32\eyfqzy.exe 1856 "C:\Windows\SysWOW64\oyiayp.exe"
        174⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        175⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        176⤵
        Modifies security service
        
        PID:4284
        
        C:\Windows\SysWOW64\ojvtnb.exe
        
        C:\Windows\system32\ojvtnb.exe 1860 "C:\Windows\SysWOW64\eyfqzy.exe"
        175⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        176⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        177⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\baxvvb.exe
        
        C:\Windows\system32\baxvvb.exe 1864 "C:\Windows\SysWOW64\ojvtnb.exe"
        176⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        177⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        178⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\ovhtbf.exe
        
        C:\Windows\system32\ovhtbf.exe 1868 "C:\Windows\SysWOW64\baxvvb.exe"
        177⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        178⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        179⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\bhzjhj.exe
        
        C:\Windows\system32\bhzjhj.exe 1872 "C:\Windows\SysWOW64\ovhtbf.exe"
        178⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        179⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        180⤵
        Runs .reg file with regedit
        
        PID:1492
        
        C:\Windows\SysWOW64\lhdgzi.exe
        
        C:\Windows\system32\lhdgzi.exe 1876 "C:\Windows\SysWOW64\bhzjhj.exe"
        179⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        180⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        181⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\yxfjii.exe
        
        C:\Windows\system32\yxfjii.exe 1880 "C:\Windows\SysWOW64\lhdgzi.exe"
        180⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        181⤵
        
        PID:216
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        182⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\pyurbr.exe
        
        C:\Windows\system32\pyurbr.exe 1884 "C:\Windows\SysWOW64\yxfjii.exe"
        181⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        182⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        183⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\zfhotp.exe
        
        C:\Windows\system32\zfhotp.exe 1888 "C:\Windows\SysWOW64\pyurbr.exe"
        182⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        183⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        184⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\msyezt.exe
        
        C:\Windows\system32\msyezt.exe 1892 "C:\Windows\SysWOW64\zfhotp.exe"
        183⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        184⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        185⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\wvnomw.exe
        
        C:\Windows\system32\wvnomw.exe 1896 "C:\Windows\SysWOW64\msyezt.exe"
        184⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        185⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        186⤵
        Runs .reg file with regedit
        
        PID:5204
        
        C:\Windows\SysWOW64\mwcwox.exe
        
        C:\Windows\system32\mwcwox.exe 1852 "C:\Windows\SysWOW64\wvnomw.exe"
        185⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        186⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        187⤵
        Runs .reg file with regedit
        
        PID:5728
        
        C:\Windows\SysWOW64\wdpcyw.exe
        
        C:\Windows\system32\wdpcyw.exe 1904 "C:\Windows\SysWOW64\mwcwox.exe"
        186⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        187⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\hnezlm.exe
        
        C:\Windows\system32\hnezlm.exe 1908 "C:\Windows\SysWOW64\wdpcyw.exe"
        187⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        188⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:5352
        
        C:\Windows\SysWOW64\tpkpwz.exe
        
        C:\Windows\system32\tpkpwz.exe 1912 "C:\Windows\SysWOW64\hnezlm.exe"
        188⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        190⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\eoomhx.exe
        
        C:\Windows\system32\eoomhx.exe 1916 "C:\Windows\SysWOW64\tpkpwz.exe"
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        190⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        191⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\taxhld.exe
        
        C:\Windows\system32\taxhld.exe 1900 "C:\Windows\SysWOW64\eoomhx.exe"
        190⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        191⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        192⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\ezbfvb.exe
        
        C:\Windows\system32\ezbfvb.exe 1924 "C:\Windows\SysWOW64\taxhld.exe"
        191⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        192⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        193⤵
        Modifies security service
        
        PID:6028
        
        C:\Windows\SysWOW64\rmsubf.exe
        
        C:\Windows\system32\rmsubf.exe 1928 "C:\Windows\SysWOW64\ezbfvb.exe"
        192⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        193⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        194⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\blwate.exe
        
        C:\Windows\system32\blwate.exe 1932 "C:\Windows\SysWOW64\rmsubf.exe"
        193⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        194⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        195⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\oyopzi.exe
        
        C:\Windows\system32\oyopzi.exe 1936 "C:\Windows\SysWOW64\blwate.exe"
        194⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        195⤵
        
        PID:540
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        196⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:6108
        
        C:\Windows\SysWOW64\elokdn.exe
        
        C:\Windows\system32\elokdn.exe 1940 "C:\Windows\SysWOW64\oyopzi.exe"
        195⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        196⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        197⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\ltkdpd.exe
        
        C:\Windows\system32\ltkdpd.exe 1944 "C:\Windows\SysWOW64\elokdn.exe"
        196⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        197⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        198⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\yjefyl.exe
        
        C:\Windows\system32\yjefyl.exe 1948 "C:\Windows\SysWOW64\ltkdpd.exe"
        197⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        198⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        199⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\okbnzu.exe
        
        C:\Windows\system32\okbnzu.exe 1952 "C:\Windows\SysWOW64\yjefyl.exe"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        199⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        200⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:5328
        
        C:\Windows\SysWOW64\yvrymx.exe
        
        C:\Windows\system32\yvrymx.exe 1920 "C:\Windows\SysWOW64\okbnzu.exe"
        199⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        201⤵
        Runs .reg file with regedit
        
        PID:1920
        
        C:\Windows\SysWOW64\miinst.exe
        
        C:\Windows\system32\miinst.exe 1956 "C:\Windows\SysWOW64\yvrymx.exe"
        200⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        201⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        202⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\whmllr.exe
        
        C:\Windows\system32\whmllr.exe 1964 "C:\Windows\SysWOW64\miinst.exe"
        201⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        202⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        203⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\mijbma.exe
        
        C:\Windows\system32\mijbma.exe 1968 "C:\Windows\SysWOW64\whmllr.exe"
        202⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        203⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        204⤵
        Modifies security service
        
        PID:4356
        
        C:\Windows\SysWOW64\wdkltv.exe
        
        C:\Windows\system32\wdkltv.exe 1960 "C:\Windows\SysWOW64\mijbma.exe"
        203⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        204⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        205⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\jcfocd.exe
        
        C:\Windows\system32\jcfocd.exe 1976 "C:\Windows\SysWOW64\wdkltv.exe"
        204⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        205⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        206⤵
        Modifies security service
        
        PID:5720
        
        C:\Windows\SysWOW64\tbrlmu.exe
        
        C:\Windows\system32\tbrlmu.exe 1980 "C:\Windows\SysWOW64\jcfocd.exe"
        205⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        206⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        207⤵
        Modifies security service
        
        PID:5316
        
        C:\Windows\SysWOW64\grmovc.exe
        
        C:\Windows\system32\grmovc.exe 1972 "C:\Windows\SysWOW64\tbrlmu.exe"
        206⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        207⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        208⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\tqhrmk.exe
        
        C:\Windows\system32\tqhrmk.exe 1984 "C:\Windows\SysWOW64\grmovc.exe"
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        208⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        209⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\hzntpk.exe
        
        C:\Windows\system32\hzntpk.exe 1992 "C:\Windows\SysWOW64\tqhrmk.exe"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        209⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        210⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\qcdecn.exe
        
        C:\Windows\system32\qcdecn.exe 1988 "C:\Windows\SysWOW64\hzntpk.exe"
        209⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        210⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:5956
        
        C:\Windows\SysWOW64\eljpfe.exe
        
        C:\Windows\system32\eljpfe.exe 1996 "C:\Windows\SysWOW64\qcdecn.exe"
        210⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        211⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        212⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\rkernm.exe
        
        C:\Windows\system32\rkernm.exe 2000 "C:\Windows\SysWOW64\eljpfe.exe"
        211⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        212⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        213⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\bfecvh.exe
        
        C:\Windows\system32\bfecvh.exe 2008 "C:\Windows\SysWOW64\rkernm.exe"
        212⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        213⤵
        
        PID:756
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        214⤵
        Modifies security service
        
        PID:5728
        
        C:\Windows\SysWOW64\ozlrot.exe
        
        C:\Windows\system32\ozlrot.exe 2012 "C:\Windows\SysWOW64\bfecvh.exe"
        213⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        214⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        215⤵
        Runs .reg file with regedit
        
        PID:5096
        
        C:\Windows\SysWOW64\zopkqf.exe
        
        C:\Windows\system32\zopkqf.exe 2016 "C:\Windows\SysWOW64\ozlrot.exe"
        214⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        215⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        216⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\brmuei.exe
        
        C:\Windows\system32\brmuei.exe 2020 "C:\Windows\SysWOW64\zopkqf.exe"
        215⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        216⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        217⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\tudmgx.exe
        
        C:\Windows\system32\tudmgx.exe 2024 "C:\Windows\SysWOW64\brmuei.exe"
        216⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        217⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        218⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\dthkqw.exe
        
        C:\Windows\system32\dthkqw.exe 2004 "C:\Windows\SysWOW64\tudmgx.exe"
        217⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        218⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        219⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\ottpbu.exe
        
        C:\Windows\system32\ottpbu.exe 2032 "C:\Windows\SysWOW64\dthkqw.exe"
        218⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        219⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        220⤵
        Modifies security service
        
        PID:3832
        
        C:\Windows\SysWOW64\efukfa.exe
        
        C:\Windows\system32\efukfa.exe 2028 "C:\Windows\SysWOW64\ottpbu.exe"
        219⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        220⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        221⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\lbepwt.exe
        
        C:\Windows\system32\lbepwt.exe 2036 "C:\Windows\SysWOW64\efukfa.exe"
        220⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        221⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        222⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\bomkay.exe
        
        C:\Windows\system32\bomkay.exe 2044 "C:\Windows\SysWOW64\lbepwt.exe"
        221⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        222⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        223⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\oehnjg.exe
        
        C:\Windows\system32\oehnjg.exe 2040 "C:\Windows\SysWOW64\bomkay.exe"
        222⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        223⤵
        
        PID:216
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        224⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\ydlktf.exe
        
        C:\Windows\system32\ydlktf.exe 2052 "C:\Windows\SysWOW64\oehnjg.exe"
        223⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        224⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        225⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\lydazj.exe
        
        C:\Windows\system32\lydazj.exe 2060 "C:\Windows\SysWOW64\ydlktf.exe"
        224⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        225⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        226⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\trcanp.exe
        
        C:\Windows\system32\trcanp.exe 2056 "C:\Windows\SysWOW64\lydazj.exe"
        225⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        226⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        227⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\jhnimz.exe
        
        C:\Windows\system32\jhnimz.exe 2064 "C:\Windows\SysWOW64\trcanp.exe"
        226⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        227⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        228⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\wxqldh.exe
        
        C:\Windows\system32\wxqldh.exe 2072 "C:\Windows\SysWOW64\jhnimz.exe"
        227⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        228⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        229⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\dfddpx.exe
        
        C:\Windows\system32\dfddpx.exe 2076 "C:\Windows\SysWOW64\wxqldh.exe"
        228⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        229⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        230⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\trlytk.exe
        
        C:\Windows\system32\trlytk.exe 2080 "C:\Windows\SysWOW64\dfddpx.exe"
        229⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        230⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        231⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\dqqwdj.exe
        
        C:\Windows\system32\dqqwdj.exe 2068 "C:\Windows\SysWOW64\trlytk.exe"
        230⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        231⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\qdhtje.exe
        
        C:\Windows\system32\qdhtje.exe 2088 "C:\Windows\SysWOW64\dqqwdj.exe"
        231⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        232⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        233⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\ducwsn.exe
        
        C:\Windows\system32\ducwsn.exe 2084 "C:\Windows\SysWOW64\qdhtje.exe"
        232⤵
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        233⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        234⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\qsxriv.exe
        
        C:\Windows\system32\qsxriv.exe 2092 "C:\Windows\SysWOW64\ducwsn.exe"
        233⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        234⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        235⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\djatrv.exe
        
        C:\Windows\system32\djatrv.exe 2096 "C:\Windows\SysWOW64\qsxriv.exe"
        234⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        235⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        236⤵
        
        PID:464
        
        C:\Windows\SysWOW64\oyemtp.exe
        
        C:\Windows\system32\oyemtp.exe 2100 "C:\Windows\SysWOW64\djatrv.exe"
        235⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        236⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        237⤵
        Runs .reg file with regedit
        
        PID:4572
        
        C:\Windows\SysWOW64\bskbet.exe
        
        C:\Windows\system32\bskbet.exe 2104 "C:\Windows\SysWOW64\oyemtp.exe"
        236⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        237⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        238⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\obqeht.exe
        
        C:\Windows\system32\obqeht.exe 2112 "C:\Windows\SysWOW64\bskbet.exe"
        237⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        238⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        239⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\bdwutf.exe
        
        C:\Windows\system32\bdwutf.exe 2108 "C:\Windows\SysWOW64\obqeht.exe"
        238⤵
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        239⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        240⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\lzxeia.exe
        
        C:\Windows\system32\lzxeia.exe 2120 "C:\Windows\SysWOW64\bdwutf.exe"
        239⤵
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        240⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        241⤵
        Modifies security service
        
        PID:5916
        
        C:\Windows\SysWOW64\ypshra.exe
        
        C:\Windows\system32\ypshra.exe 2124 "C:\Windows\SysWOW64\lzxeia.exe"
        240⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        241⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        242⤵
        Runs .reg file with regedit
        
        PID:5860
        
        C:\Windows\SysWOW64\lzysuz.exe
        
        C:\Windows\system32\lzysuz.exe 2116 "C:\Windows\SysWOW64\ypshra.exe"
        241⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        242⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        243⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\ybezfm.exe
        
        C:\Windows\system32\ybezfm.exe 2132 "C:\Windows\SysWOW64\lzysuz.exe"
        242⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        243⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        244⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\lowxlq.exe
        
        C:\Windows\system32\lowxlq.exe 2128 "C:\Windows\SysWOW64\ybezfm.exe"
        243⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        244⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        245⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\tovxsx.exe
        
        C:\Windows\system32\tovxsx.exe 2136 "C:\Windows\SysWOW64\lowxlq.exe"
        244⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        245⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        246⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\gfqsaf.exe
        
        C:\Windows\system32\gfqsaf.exe 2144 "C:\Windows\SysWOW64\tovxsx.exe"
        245⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        246⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        247⤵
        Modifies security service
        
        PID:5740
        
        C:\Windows\SysWOW64\wymnkt.exe
        
        C:\Windows\system32\wymnkt.exe 2148 "C:\Windows\SysWOW64\gfqsaf.exe"
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        247⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        248⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\jledqw.exe
        
        C:\Windows\system32\jledqw.exe 2140 "C:\Windows\SysWOW64\wymnkt.exe"
        247⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        248⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        249⤵
        Modifies security service
        
        PID:5856
        
        C:\Windows\SysWOW64\tkiaiv.exe
        
        C:\Windows\system32\tkiaiv.exe 2156 "C:\Windows\SysWOW64\jledqw.exe"
        248⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        249⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        250⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:5432
        
        C:\Windows\SysWOW64\gxaqor.exe
        
        C:\Windows\system32\gxaqor.exe 2160 "C:\Windows\SysWOW64\tkiaiv.exe"
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        250⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        251⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\tsjnuv.exe
        
        C:\Windows\system32\tsjnuv.exe 2164 "C:\Windows\SysWOW64\gxaqor.exe"
        250⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        251⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        252⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\gjmqcd.exe
        
        C:\Windows\system32\gjmqcd.exe 2152 "C:\Windows\SysWOW64\tsjnuv.exe"
        251⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        253⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\qefbkx.exe
        
        C:\Windows\system32\qefbkx.exe 2172 "C:\Windows\SysWOW64\gjmqcd.exe"
        252⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        253⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        254⤵
        Modifies security service
        
        PID:3640
        
        C:\Windows\SysWOW64\erwqqb.exe
        
        C:\Windows\system32\erwqqb.exe 2176 "C:\Windows\SysWOW64\qefbkx.exe"
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        254⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        255⤵
        Modifies security service
        
        PID:5660
        
        C:\Windows\SysWOW64\ocmble.exe
        
        C:\Windows\system32\ocmble.exe 2180 "C:\Windows\SysWOW64\erwqqb.exe"
        254⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        255⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        256⤵
        
        PID:756
        
        C:\Windows\SysWOW64\dguwpk.exe
        
        C:\Windows\system32\dguwpk.exe 2184 "C:\Windows\SysWOW64\ocmble.exe"
        255⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        256⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        257⤵
        Modifies security service
        
        PID:5492
        
        C:\Windows\SysWOW64\rtelvo.exe
        
        C:\Windows\system32\rtelvo.exe 2188 "C:\Windows\SysWOW64\dguwpk.exe"
        256⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        257⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        258⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\aetwir.exe
        
        C:\Windows\system32\aetwir.exe 2192 "C:\Windows\SysWOW64\rtelvo.exe"
        257⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        258⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        259⤵
        
        PID:392
        
        C:\Windows\SysWOW64\orllom.exe
        
        C:\Windows\system32\orllom.exe 2196 "C:\Windows\SysWOW64\aetwir.exe"
        258⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        259⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        260⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\yqpjyl.exe
        
        C:\Windows\system32\yqpjyl.exe 2200 "C:\Windows\SysWOW64\orllom.exe"
        259⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        260⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        261⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\ouxecy.exe
        
        C:\Windows\system32\ouxecy.exe 2204 "C:\Windows\SysWOW64\yqpjyl.exe"
        260⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        261⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        262⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\qqywst.exe
        
        C:\Windows\system32\qqywst.exe 2208 "C:\Windows\SysWOW64\ouxecy.exe"
        261⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        262⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Windows\SysWOW64\dptzbb.exe
        
        C:\Windows\system32\dptzbb.exe 2212 "C:\Windows\SysWOW64\qqywst.exe"
        262⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        263⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        264⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\qckpgx.exe
        
        C:\Windows\system32\qckpgx.exe 2216 "C:\Windows\SysWOW64\dptzbb.exe"
        263⤵
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        264⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        265⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\abomrw.exe
        
        C:\Windows\system32\abomrw.exe 2220 "C:\Windows\SysWOW64\qckpgx.exe"
        264⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        265⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        266⤵
        Runs .reg file with regedit
        
        PID:5752
        
        C:\Windows\SysWOW64\nzjpze.exe
        
        C:\Windows\system32\nzjpze.exe 2224 "C:\Windows\SysWOW64\abomrw.exe"
        265⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        266⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        267⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\ambffi.exe
        
        C:\Windows\system32\ambffi.exe 2228 "C:\Windows\SysWOW64\nzjpze.exe"
        266⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        267⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        268⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\llfcyh.exe
        
        C:\Windows\system32\llfcyh.exe 2168 "C:\Windows\SysWOW64\ambffi.exe"
        267⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        269⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\bmckrh.exe
        
        C:\Windows\system32\bmckrh.exe 2236 "C:\Windows\SysWOW64\llfcyh.exe"
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        269⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        270⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\llopjg.exe
        
        C:\Windows\system32\llopjg.exe 2240 "C:\Windows\SysWOW64\bmckrh.exe"
        269⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        271⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\ygxfpk.exe
        
        C:\Windows\system32\ygxfpk.exe 2244 "C:\Windows\SysWOW64\llopjg.exe"
        270⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        271⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        272⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\lxsiys.exe
        
        C:\Windows\system32\lxsiys.exe 2232 "C:\Windows\SysWOW64\ygxfpk.exe"
        271⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        272⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        273⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\ykkxdo.exe
        
        C:\Windows\system32\ykkxdo.exe 2252 "C:\Windows\SysWOW64\lxsiys.exe"
        272⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        273⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        274⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\iuzirr.exe
        
        C:\Windows\system32\iuzirr.exe 2256 "C:\Windows\SysWOW64\ykkxdo.exe"
        273⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        274⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        275⤵
        Runs .reg file with regedit
        
        PID:1156
        
        C:\Windows\SysWOW64\vlclzz.exe
        
        C:\Windows\system32\vlclzz.exe 2260 "C:\Windows\SysWOW64\iuzirr.exe"
        274⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        275⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        276⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\gdrimp.exe
        
        C:\Windows\system32\gdrimp.exe 2248 "C:\Windows\SysWOW64\vlclzz.exe"
        275⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        276⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        277⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\whsdqd.exe
        
        C:\Windows\system32\whsdqd.exe 2268 "C:\Windows\SysWOW64\gdrimp.exe"
        276⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        277⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        278⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\ggwiat.exe
        
        C:\Windows\system32\ggwiat.exe 2272 "C:\Windows\SysWOW64\whsdqd.exe"
        277⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        278⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        279⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\sikqmg.exe
        
        C:\Windows\system32\sikqmg.exe 2276 "C:\Windows\SysWOW64\ggwiat.exe"
        278⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        279⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        280⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\dbavrw.exe
        
        C:\Windows\system32\dbavrw.exe 2280 "C:\Windows\SysWOW64\sikqmg.exe"
        279⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        280⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        281⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\tfaqvj.exe
        
        C:\Windows\system32\tfaqvj.exe 2284 "C:\Windows\SysWOW64\dbavrw.exe"
        280⤵
        Drops file in System32 directory
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        281⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        282⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\gdvtdk.exe
        
        C:\Windows\system32\gdvtdk.exe 2288 "C:\Windows\SysWOW64\tfaqvj.exe"
        281⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        282⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        283⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\qdhrwi.exe
        
        C:\Windows\system32\qdhrwi.exe 2292 "C:\Windows\SysWOW64\gdvtdk.exe"
        282⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        283⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        284⤵
        Modifies security service
        
        PID:5252
        
        C:\Windows\SysWOW64\dqqgbm.exe
        
        C:\Windows\system32\dqqgbm.exe 2296 "C:\Windows\SysWOW64\qdhrwi.exe"
        283⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        284⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        285⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\qdiwhq.exe
        
        C:\Windows\system32\qdiwhq.exe 2300 "C:\Windows\SysWOW64\dqqgbm.exe"
        284⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        285⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        286⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\acmtsp.exe
        
        C:\Windows\system32\acmtsp.exe 2304 "C:\Windows\SysWOW64\qdiwhq.exe"
        285⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        286⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        287⤵
        Modifies security service
        
        PID:5432
        
        C:\Windows\SysWOW64\ljyzco.exe
        
        C:\Windows\system32\ljyzco.exe 2308 "C:\Windows\SysWOW64\acmtsp.exe"
        286⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        287⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        288⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\ywipij.exe
        
        C:\Windows\system32\ywipij.exe 2312 "C:\Windows\SysWOW64\ljyzco.exe"
        287⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        288⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        289⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\oaqkmx.exe
        
        C:\Windows\system32\oaqkmx.exe 2316 "C:\Windows\SysWOW64\ywipij.exe"
        288⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        289⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        290⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\yzuhev.exe
        
        C:\Windows\system32\yzuhev.exe 2264 "C:\Windows\SysWOW64\oaqkmx.exe"
        289⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        290⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        291⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\lyxkne.exe
        
        C:\Windows\system32\lyxkne.exe 2320 "C:\Windows\SysWOW64\yzuhev.exe"
        290⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        292⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\vtquuy.exe
        
        C:\Windows\system32\vtquuy.exe 2328 "C:\Windows\SysWOW64\lyxkne.exe"
        291⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        292⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        293⤵
        Runs .reg file with regedit
        
        PID:4156
        
        C:\Windows\SysWOW64\lyypyd.exe
        
        C:\Windows\system32\lyypyd.exe 2332 "C:\Windows\SysWOW64\vtquuy.exe"
        292⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        294⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\vxcmjc.exe
        
        C:\Windows\system32\vxcmjc.exe 2336 "C:\Windows\SysWOW64\lyypyd.exe"
        293⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        294⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        295⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\ivfprk.exe
        
        C:\Windows\system32\ivfprk.exe 2340 "C:\Windows\SysWOW64\vxcmjc.exe"
        294⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        295⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        296⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\viofxg.exe
        
        C:\Windows\system32\viofxg.exe 2344 "C:\Windows\SysWOW64\ivfprk.exe"
        295⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        296⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        297⤵
        
        PID:216
        
        C:\Windows\SysWOW64\dqkfrd.exe
        
        C:\Windows\system32\dqkfrd.exe 2324 "C:\Windows\SysWOW64\viofxg.exe"
        296⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        297⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        298⤵
        Runs .reg file with regedit
        
        PID:5344
        
        C:\Windows\SysWOW64\sgvfyn.exe
        
        C:\Windows\system32\sgvfyn.exe 2352 "C:\Windows\SysWOW64\dqkfrd.exe"
        297⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        298⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        299⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\ftnder.exe
        
        C:\Windows\system32\ftnder.exe 2356 "C:\Windows\SysWOW64\sgvfyn.exe"
        298⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        299⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        300⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\qsraoq.exe
        
        C:\Windows\system32\qsraoq.exe 2360 "C:\Windows\SysWOW64\ftnder.exe"
        299⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        300⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        301⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\gtoiqr.exe
        
        C:\Windows\system32\gtoiqr.exe 2364 "C:\Windows\SysWOW64\qsraoq.exe"
        300⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        301⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        302⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\nbbako.exe
        
        C:\Windows\system32\nbbako.exe 2368 "C:\Windows\SysWOW64\gtoiqr.exe"
        301⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        302⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        303⤵
        Modifies security service
        
        PID:5612
        
        C:\Windows\SysWOW64\dqvijx.exe
        
        C:\Windows\system32\dqvijx.exe 2348 "C:\Windows\SysWOW64\nbbako.exe"
        302⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        303⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        304⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\obkovo.exe
        
        C:\Windows\system32\obkovo.exe 2376 "C:\Windows\SysWOW64\dqvijx.exe"
        303⤵
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        304⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        305⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\xlayjr.exe
        
        C:\Windows\system32\xlayjr.exe 2380 "C:\Windows\SysWOW64\obkovo.exe"
        304⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        305⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        306⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\nqatnw.exe
        
        C:\Windows\system32\nqatnw.exe 2384 "C:\Windows\SysWOW64\xlayjr.exe"
        305⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        306⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        307⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\ylbduy.exe
        
        C:\Windows\system32\ylbduy.exe 2388 "C:\Windows\SysWOW64\nqatnw.exe"
        306⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        307⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        308⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\fbmlbi.exe
        
        C:\Windows\system32\fbmlbi.exe 2392 "C:\Windows\SysWOW64\ylbduy.exe"
        307⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        308⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        309⤵
        
        PID:864
        
        C:\Windows\SysWOW64\toebhm.exe
        
        C:\Windows\system32\toebhm.exe 2372 "C:\Windows\SysWOW64\fbmlbi.exe"
        308⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        309⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        310⤵
        Modifies security service
        
        PID:856
        
        C:\Windows\SysWOW64\cztmup.exe
        
        C:\Windows\system32\cztmup.exe 2400 "C:\Windows\SysWOW64\toebhm.exe"
        309⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        310⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        311⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\qmlbil.exe
        
        C:\Windows\system32\qmlbil.exe 2396 "C:\Windows\SysWOW64\cztmup.exe"
        310⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        311⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        312⤵
        Modifies security service
        
        PID:5324
        
        C:\Windows\SysWOW64\awbhnb.exe
        
        C:\Windows\system32\awbhnb.exe 2408 "C:\Windows\SysWOW64\qmlbil.exe"
        311⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        312⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        313⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\nyhoyn.exe
        
        C:\Windows\system32\nyhoyn.exe 2412 "C:\Windows\SysWOW64\awbhnb.exe"
        312⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        313⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        314⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\ahnzbn.exe
        
        C:\Windows\system32\ahnzbn.exe 2416 "C:\Windows\SysWOW64\nyhoyn.exe"
        313⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        314⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        315⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\kkcjoq.exe
        
        C:\Windows\system32\kkcjoq.exe 2404 "C:\Windows\SysWOW64\ahnzbn.exe"
        314⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        315⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        316⤵
        Runs .reg file with regedit
        
        PID:1492
        
        C:\Windows\SysWOW64\xixmxq.exe
        
        C:\Windows\system32\xixmxq.exe 2424 "C:\Windows\SysWOW64\kkcjoq.exe"
        315⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        316⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        317⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\njuuyz.exe
        
        C:\Windows\system32\njuuyz.exe 2428 "C:\Windows\SysWOW64\xixmxq.exe"
        316⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        317⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        318⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\xmjftc.exe
        
        C:\Windows\system32\xmjftc.exe 2432 "C:\Windows\SysWOW64\njuuyz.exe"
        317⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        318⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        319⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\khbuzg.exe
        
        C:\Windows\system32\khbuzg.exe 2436 "C:\Windows\SysWOW64\xmjftc.exe"
        318⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        319⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        320⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\yulkfc.exe
        
        C:\Windows\system32\yulkfc.exe 2440 "C:\Windows\SysWOW64\khbuzg.exe"
        319⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        320⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        321⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\lhcalg.exe
        
        C:\Windows\system32\lhcalg.exe 2444 "C:\Windows\SysWOW64\yulkfc.exe"
        320⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        321⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        322⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\vggxvf.exe
        
        C:\Windows\system32\vggxvf.exe 2448 "C:\Windows\SysWOW64\lhcalg.exe"
        321⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        322⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        323⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\ityvbi.exe
        
        C:\Windows\system32\ityvbi.exe 2452 "C:\Windows\SysWOW64\vggxvf.exe"
        322⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        323⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        324⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\sacsth.exe
        
        C:\Windows\system32\sacsth.exe 2456 "C:\Windows\SysWOW64\ityvbi.exe"
        323⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        324⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        325⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\fqfvch.exe
        
        C:\Windows\system32\fqfvch.exe 2460 "C:\Windows\SysWOW64\sacsth.exe"
        324⤵
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        325⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        326⤵
        Modifies security service
        
        PID:5300
        
        C:\Windows\SysWOW64\sdolil.exe
        
        C:\Windows\system32\sdolil.exe 2464 "C:\Windows\SysWOW64\fqfvch.exe"
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        326⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        327⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\fcjnqt.exe
        
        C:\Windows\system32\fcjnqt.exe 2468 "C:\Windows\SysWOW64\sdolil.exe"
        326⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        327⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        328⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\qykyyo.exe
        
        C:\Windows\system32\qykyyo.exe 2472 "C:\Windows\SysWOW64\fcjnqt.exe"
        327⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        328⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        329⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\dlbnes.exe
        
        C:\Windows\system32\dlbnes.exe 2476 "C:\Windows\SysWOW64\qykyyo.exe"
        328⤵
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        329⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        330⤵
        Modifies security service
        
        PID:2892
        
        C:\Windows\SysWOW64\qyldkn.exe
        
        C:\Windows\system32\qyldkn.exe 2480 "C:\Windows\SysWOW64\dlbnes.exe"
        329⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        330⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        331⤵
        Modifies security service
        
        PID:5456
        
        C:\Windows\SysWOW64\dartva.exe
        
        C:\Windows\system32\dartva.exe 2484 "C:\Windows\SysWOW64\qyldkn.exe"
        330⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        331⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        332⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:392
        
        C:\Windows\SysWOW64\qnjjbe.exe
        
        C:\Windows\system32\qnjjbe.exe 2420 "C:\Windows\SysWOW64\dartva.exe"
        331⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        332⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        333⤵
        System Location Discovery: System Language Discovery
        
        PID:5652
        
        C:\Windows\SysWOW64\dddlre.exe
        
        C:\Windows\system32\dddlre.exe 2492 "C:\Windows\SysWOW64\qnjjbe.exe"
        332⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        333⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        334⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\nzeezy.exe
        
        C:\Windows\system32\nzeezy.exe 2496 "C:\Windows\SysWOW64\dddlre.exe"
        333⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        334⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        335⤵
        Runs .reg file with regedit
        
        PID:2824
        
        C:\Windows\SysWOW64\xyqbjx.exe
        
        C:\Windows\system32\xyqbjx.exe 2500 "C:\Windows\SysWOW64\nzeezy.exe"
        334⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        335⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        336⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\nkrwnk.exe
        
        C:\Windows\system32\nkrwnk.exe 2504 "C:\Windows\SysWOW64\xyqbjx.exe"
        335⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        336⤵
        
        PID:540
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        337⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\aximto.exe
        
        C:\Windows\system32\aximto.exe 2508 "C:\Windows\SysWOW64\nkrwnk.exe"
        336⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        337⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        338⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\ltbwbj.exe
        
        C:\Windows\system32\ltbwbj.exe 2512 "C:\Windows\SysWOW64\aximto.exe"
        337⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        338⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        339⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\xvhmun.exe
        
        C:\Windows\system32\xvhmun.exe 2516 "C:\Windows\SysWOW64\ltbwbj.exe"
        338⤵
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        339⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        340⤵
        
        PID:540
        
        C:\Windows\SysWOW64\kizcar.exe
        
        C:\Windows\system32\kizcar.exe 2520 "C:\Windows\SysWOW64\xvhmun.exe"
        339⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        340⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        341⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\xytejz.exe
        
        C:\Windows\system32\xytejz.exe 2524 "C:\Windows\SysWOW64\kizcar.exe"
        340⤵
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        341⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        342⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\ixgcty.exe
        
        C:\Windows\system32\ixgcty.exe 2528 "C:\Windows\SysWOW64\xytejz.exe"
        341⤵
        
        PID:1132

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:760

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4736

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv GHyJxrreFE+bS15IHJgrDg.0.2
1⤵
PID:864

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4264

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
784B

MD5
5a466127fedf6dbcd99adc917bd74581

SHA1
a2e60b101c8789b59360d95a64ec07d0723c4d38

SHA256
8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

SHA512
695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
300B

MD5
9e1df6d58e6c905e4628df434384b3c9

SHA1
e67dd641da70aa9654ed24b19ed06a3eb8c0db43

SHA256
25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0

SHA512
93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
8c6aa92ac8ffdfb7a0fb3dafd14d65f1

SHA1
cac3992d696a99a5dec2ab1c824c816117414b16

SHA256
dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa

SHA512
f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5da7efcc8d0fcdf2bad7890c3f8a27ca

SHA1
681788d5a3044eee8426d431bd786375cd32bf13

SHA256
7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8

SHA512
6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f5fa5178657d29a36c5dc4ac9445cbdc

SHA1
4be1a87a89715d24d52b23c59006f9cb74437ba0

SHA256
f5df5a0913b98b4c5ef35c76ba8c7601adb2698300bef0a47f23845a95942114

SHA512
54272b6eaead06588ac6605a5d995c928f2270c2bccb18891f83dc5cae98eb2c88a98b49bd553f6305659cbf51c36842840dd98fa0b44a3b693de8c7af1f6b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
d085cde42c14e8ee2a5e8870d08aee42

SHA1
c8e967f1d301f97dbcf252d7e1677e590126f994

SHA256
a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

SHA512
de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
b99b0dc7cab4e69d365783a5c4273a83

SHA1
5fcc44aa2631c923e9961266a2e0dbeaaabe84da

SHA256
1fc967a5c8f7859ba0c410978d165085f241195fe4a31d61a127e38c30d435e4

SHA512
495474416f5eccd40829d42f050464903273d564cb862b1bd0657262485e634b5d466363cac085406c6d830f42a2f7b5648818b2efe6db1a90833a4b90a6a14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
82fb85e6f9058c36d57abc2350ffee7e

SHA1
f52708d066380d42924513f697ab4ed5492f78b8

SHA256
0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6

SHA512
27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b79d7c7385eb2936ecd5681762227a9b

SHA1
c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

SHA256
fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

SHA512
7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
384B

MD5
c93c561465db53bf9a99759de9d25f07

SHA1
5386934828e2c2589bfe394ac1f03ffbfba93bfa

SHA256
32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851

SHA512
bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5575ef034e791d4d3b09da6c0c4ee764

SHA1
50a0851ddf4b0c4014ad91f976e953baffe30951

SHA256
9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14

SHA512
ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
c8441ec8a2edf9b2f4f631fe930ea4d9

SHA1
2855ee21116b427d280fcaa2471c9bd3d2957f6f

SHA256
dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184

SHA512
b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
1c6131354c6987300ea512b765475b82

SHA1
2ad74e27ee9080f65d1b2b2e537f73d8f6b59f53

SHA256
3a16ce0b62d9b7bc6832082d30e37163bbde0eddcffe9b09f20fc118b1e0d640

SHA512
b1274a40e10dea26834d3839a4c64a593252640a8a55bcbf642b661f1711451ea81ca712cc98d0c0b9132b4aaf5c8aaac6cc974fc8cbe0eed6ffc13d1b01db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
584f47a0068747b3295751a0d591f4ee

SHA1
7886a90e507c56d3a6105ecdfd9ff77939afa56f

SHA256
927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

SHA512
ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
501effddf60a974e98b67dc8921aa7e8

SHA1
734dfe4b508dbc1527ec92e91821a1251aec5b2e

SHA256
672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06

SHA512
28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
bef09dc596b7b91eec4f38765e0965b7

SHA1
b8bb8d2eb918e0979b08fd1967dac127874b9de5

SHA256
8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265

SHA512
0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
8a36f3bf3750851d8732b132fa330bb4

SHA1
1cb36be31f3d7d9439aac14af3d7a27f05a980eb

SHA256
5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9

SHA512
a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
431B

MD5
9fa547ff360b09f7e093593af0b5a13b

SHA1
9debc99bb7450f59a7b09f16c0393e5c7a955ba4

SHA256
7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705

SHA512
30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d8be0d42e512d922804552250f01eb90

SHA1
cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3

SHA256
901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82

SHA512
f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a920eceddece6cf7f3487fd8e919af34

SHA1
a6dee2d31d4cbd1b18f5d3bc971521411a699889

SHA256
ec2d3952154412db3202f5c95e4d1b02c40a7f71f4458898ddc36e827a7b32d6

SHA512
a4700af2ce477c7ce33f434cdddd4031e88c3926d05475f522a753063269fe8b6e50b649c3e939272240194951cb70ac05df533978c19839e381141535275ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
8d6eb64e58d3f14686110fcaf1363269

SHA1
d85c0b208716b400894ba4cb569a5af4aa178a2f

SHA256
c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5

SHA512
5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
752fd85212d47da8f0adc29004a573b2

SHA1
fa8fe3ff766601db46412879dc13dbec8d055965

SHA256
9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e

SHA512
d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
360B

MD5
3a1a83c2ffad464e87a2f9a502b7b9f1

SHA1
4ffa65ecdd0455499c8cd6d05947605340cbf426

SHA256
73ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6

SHA512
8232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5002319f56002f8d7ceacecf8672ce25

SHA1
3b26b6801be4768cc7582e29bc93facdf2a74be3

SHA256
f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c

SHA512
8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c1e5f93e2bee9ca33872764d8889de23

SHA1
167f65adfc34a0e47cb7de92cc5958ee8905796a

SHA256
8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

SHA512
482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
e6d8af5aed642209c88269bf56af50ae

SHA1
633d40da997074dc0ed10938ebc49a3aeb3a7fc8

SHA256
550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec

SHA512
6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
701B

MD5
e427a32326a6a806e7b7b4fdbbe0ed4c

SHA1
b10626953332aeb7c524f2a29f47ca8b0bee38b1

SHA256
b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

SHA512
6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5b77620cb52220f4a82e3551ee0a53a6

SHA1
07d122b8e70ec5887bad4ef8f4d6209df18912d0

SHA256
93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579

SHA512
9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a437192517c26d96c8cee8d5a27dd560

SHA1
f665a3e5e5c141e4527509dffd30b0320aa8df6f

SHA256
d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23

SHA512
f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5bf31d7ea99b678c867ccdec344298aa

SHA1
2e548f54bf50d13993105c4f59bbeaeb87b17a68

SHA256
52be521b5509b444c0369ea7e69fc06b2d0b770cf600386c9a0178225ccdd281

SHA512
1bc82b65efe8c2be419748c8534210e7ad8cc8332ef87fb5df828eaebfdf630066ab3ad8d3ceeb82dee5ec4e680daff2748fcd4beaad8c71f1477b2ec7fe3564

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c2d6056624c1d37b1baf4445d8705378

SHA1
90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83

SHA256
3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96

SHA512
d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
208B

MD5
67a0c98a371995d5434cb9788ee1c42f

SHA1
7171d3dca52f038ca9d9e8b13f356462dbc8f3cc

SHA256
2ac5bd7466724458c6f36bbbe6be697bfbc95d3b8f8ad486b83d595bd295dbc3

SHA512
f5b31a9e68044db25853f9a158dd4ff1da717beb5802dd11a6d3b705b5bf065304c98df3c81c8487e922d4f94690ecfb2662077bffb50cba036bcd8e50935191

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
298B

MD5
4117e5a9c995bab9cd3bce3fc2b99a46

SHA1
80144ccbad81c2efb1df64e13d3d5f59ca4486da

SHA256
37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292

SHA512
bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
895301bce84d6fe707b5cfd50f1f9f97

SHA1
50a012f59655621768f624c4571654145663c042

SHA256
b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

SHA512
a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
989c5352030fafd44b92adf4d4164738

SHA1
e02985c15eb20682115e3fc343f829e28770ed6c

SHA256
248c7793d113ca762bbe56b974f4c5902339dacb0b47ddd7c412340a623dfe38

SHA512
9ebcfc38952d968d608d68b2e8fbb56f5d02ed03e0e2d02661caeb50f804404d95fc45f22a8376ca88b69548c89c22b6c6a9acbb7fdcb5f6f906bd871b3465f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
54ca6e3ef1c12b994043e85a8c9895f0

SHA1
5eaccfb482cbe24cf5c3203ffdc926184097427e

SHA256
0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0

SHA512
925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
63ff40a70037650fd0acfd68314ffc94

SHA1
1ab29adec6714edf286485ac5889fddb1d092e93

SHA256
1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b

SHA512
2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
614dc91c25423b19711b270e1e5a49ad

SHA1
f66496dcf9047ae934bdc4a65f697be55980b169

SHA256
cd2b70a70c7da79d5136e4268d6c685e81d925b9387b9ed9e1b3189118e2de5e

SHA512
27a8649bb02ab6a67a1f2482662a6c690aefca551eec3575ea9aeee645d318b23d0dc6d5d2db239583ddb5f04ba13d94e5180a184566416291b7180fab0029e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
978B

MD5
2e2266221550edce9a27c9060d5c2361

SHA1
f39f2d8f02f8b3a877d5969a81c4cb12679609f3

SHA256
e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb

SHA512
e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5855edf3afa67e11de78af0389880d18

SHA1
c43fcd36d70a6ffcd41fbb48c1d0c406fd00286f

SHA256
c7798759a159989611cdf47f702c8813ad0f029b52f18af573f383859a8bfaaa

SHA512
5be99a55f86486c04bda0a089571c296d041dae337321578c0f8d19d7bd2e51802aafbc8716753b6191b8e5ced782a5bc7d44bdd4995ab8e6ac1f7cd4b0f91ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
1daa413d1a8cd1692f2e4ae22b54c74a

SHA1
2e02e2a23cfaa62f301e29a117e291ff93cc5d31

SHA256
10732e2612780d9694faf0bb9b27cdc6f3376ad327da7dfc346e9e5579493d33

SHA512
b947c70c7c4af971e3fbdc66fb7175b6624ac68c6a723dac7ecb5cf5f43bbe210fa0fa61fd4b6153dccf7de077d003ca03f061e209dc37773546b038e6aef277

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
908860a865f8ed2e14085e35256578dd

SHA1
7ff5ee35cc7e96a661848eb95a70d0b8d2d78603

SHA256
d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f

SHA512
a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d5e129352c8dd0032b51f34a2bbecad3

SHA1
a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a

SHA256
ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267

SHA512
9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
206B

MD5
2d9f1ff716273d19e3f0d10a3cd8736f

SHA1
b4ca02834dd3f3489c5088d2157279d2be90f5ff

SHA256
9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623

SHA512
1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
86B

MD5
81f2f44f6ecac84e6336cf272aff53bf

SHA1
24d388235609e7560066b834be91c5407b202b1f

SHA256
b6c9d291084087663b29aa58c8a14f13ec1cb80a499c6ae60cc71002b6376636

SHA512
44efc9c05c4cdeb189308e894734cef5c83b8be80850441989e45c29671facecb7be9504291a6947443da227b35555ecd933136e2e819c20c2ddeafcf01b87ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
574B

MD5
5020988c301a6bf0c54a293ddf64837c

SHA1
5b65e689a2988b9a739d53565b2a847f20d70f09

SHA256
a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d

SHA512
921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1024B

MD5
159bb1d34a927f58fc851798c7c09b58

SHA1
c3a26565004531f3a93e29eabb0f9a196b4c1ba2

SHA256
53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd

SHA512
b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
831afd728dd974045c0654510071d405

SHA1
9484f4ee8e9eef0956553a59cfbcbe99a8822026

SHA256
03223eaae4ac389215cb8a9cb4e4d5a70b67f791f90e57b8efd3f975f5cf6af2

SHA512
ab7ac4d6d45b8aac5f82432468d40bd2b5bfae6d93006732ce27a6513fd3e7ddc94c029051092bf8b6f5649688c0f6600dbd88968732fc7b779e916e6bcda5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
117efa689c5631c1a1ee316f123182bd

SHA1
f477bf1e9f4db8452bd9fe314cd18715f7045689

SHA256
79ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7

SHA512
abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
294976e85ad11a45853f99c1b208723f

SHA1
8d83101d69420b5af97ec517165d849d3ab498fc

SHA256
04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff

SHA512
e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
e78a2688839aaee80b2bfdc4639329c5

SHA1
818a0dd05493b075a9f2eaf063e64d5a653f470a

SHA256
bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d

SHA512
2821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a57e37dfb6f88b2d04424936ed0b4afb

SHA1
35e2f81486b8420b88b7693ad3e92f846367cb12

SHA256
411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d

SHA512
41f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
1b2949b211ab497b739b1daf37cd4101

SHA1
12cad1063d28129ddd89e80acc2940f8dfbbaab3

SHA256
3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c

SHA512
a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6bf876cd9994f0d41be4eca36d22c42a

SHA1
50cda4b940e6ba730ce59000cfc59e6c4d7fdc79

SHA256
ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a

SHA512
605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5aa228bc61037ddaf7a22dab4a04e9a1

SHA1
b50fcd8f643ea748f989a06e38c778884b3c19f2

SHA256
65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b

SHA512
2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
cd085b8c40e69c2bf1eb3d59f8155b99

SHA1
3499260f24020fe6d54d9d632d34ba2770bb06e0

SHA256
10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c

SHA512
3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Windows\SysWOW64\lrswns.exe

Filesize
133KB

MD5
8ec30d64f460f0d80729fe2cbc74160d

SHA1
c4b0d00909390d4d4981ef644ba0e9771c64c3e6

SHA256
3d83bd98c2c741ddd28642f11f98ce4038442a2aa95a636ab664c82c03b8badc

SHA512
faefe185844b575ee4033d35d6a5e0782191ef702bf35650e6913c54ef1a1202ecc77d13d4d0cf25ef5a16d37b268650d5d48a7ef299793ccea3f5ab438d6cf5

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/116-1396-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/116-1169-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/220-1163-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/228-4672-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/624-2312-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/804-3211-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/860-2873-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/880-3773-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/940-5919-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/952-5354-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/964-1046-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1060-8645-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1060-8420-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1088-6829-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1228-2652-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1260-5013-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1260-4789-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1352-10027-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1352-10251-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1372-7056-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1392-9101-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1392-9220-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1400-3547-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1472-7739-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1472-7964-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1532-8530-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1532-8306-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1560-2088-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1564-231-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1564-0-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1580-6151-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1580-6375-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1604-6943-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1604-6720-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1664-7736-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1668-9562-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1668-9336-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1764-344-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1884-1282-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1932-2200-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1984-1746-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2000-9565-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2000-9684-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2016-9678-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2016-9796-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2112-8189-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2132-7850-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2180-8416-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2272-3662-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2380-5922-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2380-6148-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2388-5692-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2404-8870-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2584-7399-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2584-7622-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2604-1978-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2620-9910-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2776-9098-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2792-3323-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2792-3103-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2816-4449-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2828-2988-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2832-10024-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2848-10138-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2848-9912-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2912-7509-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2916-3098-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3036-2424-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3124-4784-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3412-7396-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3440-2761-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3460-9222-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3460-9448-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3464-5468-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3484-3435-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3588-7853-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3588-8077-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3608-6493-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3608-6717-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3652-5579-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3652-5357-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3704-2536-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3776-5809-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3776-6033-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3792-5128-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3876-3779-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/3876-3998-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4044-702-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4044-927-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4052-1636-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4052-1862-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4064-813-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4076-5806-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4188-7283-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4188-7059-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4256-8984-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4292-3666-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4292-3888-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4364-5240-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4364-5017-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4372-4110-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4432-8986-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4432-9106-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4460-4334-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4484-6604-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4484-6378-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4496-9465-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4496-9676-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4540-7169-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4588-1632-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4640-1512-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4640-1312-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4768-580-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4776-8303-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4784-4222-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4808-6036-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4808-6262-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4812-6490-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4812-6265-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4952-4563-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4972-4900-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4976-9334-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4976-9109-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4984-8534-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/4984-8757-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/5044-463-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/5088-694-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/5088-469-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads