0d5c5897275433b4daba75341d4d31f09c864704b24a285d61120b1f89fa5073

Analysis

max time kernel
114s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe
Size

68KB
MD5

c259e839c3bf1643faad6755dbb4a45b
SHA1

75fd37e261d3c8d515a2744f40b5eadf9971b630
SHA256

0d5c5897275433b4daba75341d4d31f09c864704b24a285d61120b1f89fa5073
SHA512

d3e07764f1add49ba6a26c78e010e1ec2ce55e546b476ad88301f34fa5dc362769b755b80e3e7c7d3656495f7201a023074e1a61bad69e3957ae5e3ad39d0d28
SSDEEP

1536:CzX1z1RieG2bPWjjlAn+3hlG8aLIARvvoDNI6gDWgAee9YB/PvQ:CzX11IeG24C+3h/oIAR3MIVeOPvQ

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3600	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2724	EXPL0RER.EXE
496	EXPL0RER.EXE
2652	EXPL0RER.EXE
572	EXPL0RER.EXE
2228	EXPL0RER.EXE
1060	EXPL0RER.EXE
308	EXPL0RER.EXE
1860	EXPL0RER.EXE
1944	EXPL0RER.EXE
2960	EXPL0RER.EXE
1624	EXPL0RER.EXE
2216	EXPL0RER.EXE
1956	EXPL0RER.EXE
940	EXPL0RER.EXE
2012	EXPL0RER.EXE
2520	EXPL0RER.EXE
2432	EXPL0RER.EXE
868	EXPL0RER.EXE
2720	EXPL0RER.EXE
2824	EXPL0RER.EXE
2832	EXPL0RER.EXE
2588	EXPL0RER.EXE
1656	EXPL0RER.EXE
296	EXPL0RER.EXE
2188	EXPL0RER.EXE
2272	EXPL0RER.EXE
1976	EXPL0RER.EXE
1420	EXPL0RER.EXE
1792	EXPL0RER.EXE
1968	EXPL0RER.EXE
2412	EXPL0RER.EXE
2360	EXPL0RER.EXE
2232	EXPL0RER.EXE
1364	EXPL0RER.EXE
1728	EXPL0RER.EXE
568	EXPL0RER.EXE
2964	EXPL0RER.EXE
1804	EXPL0RER.EXE
2072	EXPL0RER.EXE
2612	EXPL0RER.EXE
2828	EXPL0RER.EXE
376	EXPL0RER.EXE
580	EXPL0RER.EXE
1832	EXPL0RER.EXE
2328	EXPL0RER.EXE
1760	EXPL0RER.EXE
3032	EXPL0RER.EXE
2756	EXPL0RER.EXE
1212	EXPL0RER.EXE
624	EXPL0RER.EXE
1752	EXPL0RER.EXE
1724	EXPL0RER.EXE
1540	EXPL0RER.EXE
2504	EXPL0RER.EXE
1592	EXPL0RER.EXE
2604	EXPL0RER.EXE
2624	EXPL0RER.EXE
1652	EXPL0RER.EXE
2420	EXPL0RER.EXE
1648	EXPL0RER.EXE
1768	EXPL0RER.EXE
2140	EXPL0RER.EXE
2480	EXPL0RER.EXE
2284	EXPL0RER.EXE

Loads dropped DLL 64 IoCs

pid	Process
2824	regsvr32.exe
1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe
1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe
2600	regsvr32.exe
2724	EXPL0RER.EXE
2724	EXPL0RER.EXE
2608	regsvr32.exe
496	EXPL0RER.EXE
496	EXPL0RER.EXE
1652	regsvr32.exe
2652	EXPL0RER.EXE
2652	EXPL0RER.EXE
3004	regsvr32.exe
572	EXPL0RER.EXE
572	EXPL0RER.EXE
2176	regsvr32.exe
2228	EXPL0RER.EXE
2228	EXPL0RER.EXE
2564	regsvr32.exe
1060	EXPL0RER.EXE
1060	EXPL0RER.EXE
2880	regsvr32.exe
308	EXPL0RER.EXE
308	EXPL0RER.EXE
1452	regsvr32.exe
1860	EXPL0RER.EXE
1860	EXPL0RER.EXE
2220	regsvr32.exe
1944	EXPL0RER.EXE
1944	EXPL0RER.EXE
2360	regsvr32.exe
2960	EXPL0RER.EXE
2960	EXPL0RER.EXE
624	regsvr32.exe
1624	EXPL0RER.EXE
1624	EXPL0RER.EXE
872	regsvr32.exe
2216	EXPL0RER.EXE
2216	EXPL0RER.EXE
1612	regsvr32.exe
1956	EXPL0RER.EXE
1956	EXPL0RER.EXE
1228	regsvr32.exe
940	EXPL0RER.EXE
940	EXPL0RER.EXE
2972	regsvr32.exe
2012	EXPL0RER.EXE
2012	EXPL0RER.EXE
2040	regsvr32.exe
2520	EXPL0RER.EXE
2520	EXPL0RER.EXE
1804	regsvr32.exe
2432	EXPL0RER.EXE
2432	EXPL0RER.EXE
2468	regsvr32.exe
868	EXPL0RER.EXE
868	EXPL0RER.EXE
2788	regsvr32.exe
2720	EXPL0RER.EXE
2720	EXPL0RER.EXE
2604	regsvr32.exe
2824	EXPL0RER.EXE
2824	EXPL0RER.EXE
2576	regsvr32.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1508-12-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/files/0x00080000000164b1-5.dat	upx
behavioral1/memory/2724-30-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/496-45-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/496-56-0x0000000000340000-0x0000000000373000-memory.dmp	upx
behavioral1/memory/2652-60-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1508-76-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2724-96-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/496-112-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2652-131-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/308-129-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/572-152-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1860-151-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2228-164-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1060-177-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/308-186-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2960-185-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1624-198-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1860-210-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1956-226-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1944-225-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2960-234-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1624-247-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/940-246-0x00000000001B0000-0x00000000001E3000-memory.dmp	upx
behavioral1/memory/2216-264-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2520-263-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1956-271-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/940-284-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2012-296-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2824-313-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2520-308-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2432-321-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2588-339-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1656-349-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/868-347-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/296-360-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2720-359-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2824-373-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2832-384-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2588-390-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1656-404-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1976-403-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/296-412-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2188-424-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2272-437-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2272-449-0x0000000000220000-0x0000000000253000-memory.dmp	upx
behavioral1/memory/1976-450-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1420-464-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1792-477-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1968-501-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1728-514-0x0000000000440000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2412-513-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2360-527-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2232-528-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1804-545-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1364-543-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1728-552-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/568-567-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2964-581-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/1804-594-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/2072-598-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\SysModule32.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File created	C:\Windows\SysWOW64\SysModule64.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\$$336699.bat	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXEabc	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE
File opened for modification	C:\Windows\SysWOW64\EXPL0RER.EXE	EXPL0RER.EXE

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File created	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE
File opened for modification	C:\Windows\MFCD3O.DLL	EXPL0RER.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4556	2624	WerFault.exe	143

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXPL0RER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID\ = "SysModule64.classname"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid\ = "{081FE200-A103-11D7-A46D-C770E4459F2F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\ = "hookmir"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ = "hookmir"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SysModule64.classname	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{081FE200-A103-11D7-A46D-C770E4459F2F}\InprocServer32\ = "C:\\Windows\\SysWow64\\SysModule64.DLL"	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2824	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	30
PID 1508 wrote to memory of 2824	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	30
PID 1508 wrote to memory of 2824	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	30
PID 1508 wrote to memory of 2824	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	30
PID 1508 wrote to memory of 2824	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	30
PID 1508 wrote to memory of 2824	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	30
PID 1508 wrote to memory of 2824	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	30
PID 1508 wrote to memory of 2724	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2724	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2724	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	31
PID 1508 wrote to memory of 2724	1508	c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2600	2724	EXPL0RER.EXE	32
PID 2724 wrote to memory of 2600	2724	EXPL0RER.EXE	32
PID 2724 wrote to memory of 2600	2724	EXPL0RER.EXE	32
PID 2724 wrote to memory of 2600	2724	EXPL0RER.EXE	32
PID 2724 wrote to memory of 2600	2724	EXPL0RER.EXE	32
PID 2724 wrote to memory of 2600	2724	EXPL0RER.EXE	32
PID 2724 wrote to memory of 2600	2724	EXPL0RER.EXE	32
PID 2724 wrote to memory of 496	2724	EXPL0RER.EXE	33
PID 2724 wrote to memory of 496	2724	EXPL0RER.EXE	33
PID 2724 wrote to memory of 496	2724	EXPL0RER.EXE	33
PID 2724 wrote to memory of 496	2724	EXPL0RER.EXE	33
PID 496 wrote to memory of 2608	496	EXPL0RER.EXE	34
PID 496 wrote to memory of 2608	496	EXPL0RER.EXE	34
PID 496 wrote to memory of 2608	496	EXPL0RER.EXE	34
PID 496 wrote to memory of 2608	496	EXPL0RER.EXE	34
PID 496 wrote to memory of 2608	496	EXPL0RER.EXE	34
PID 496 wrote to memory of 2608	496	EXPL0RER.EXE	34
PID 496 wrote to memory of 2608	496	EXPL0RER.EXE	34
PID 496 wrote to memory of 2652	496	EXPL0RER.EXE	35
PID 496 wrote to memory of 2652	496	EXPL0RER.EXE	35
PID 496 wrote to memory of 2652	496	EXPL0RER.EXE	35
PID 496 wrote to memory of 2652	496	EXPL0RER.EXE	35
PID 2652 wrote to memory of 1652	2652	EXPL0RER.EXE	36
PID 2652 wrote to memory of 1652	2652	EXPL0RER.EXE	36
PID 2652 wrote to memory of 1652	2652	EXPL0RER.EXE	36
PID 2652 wrote to memory of 1652	2652	EXPL0RER.EXE	36
PID 2652 wrote to memory of 1652	2652	EXPL0RER.EXE	36
PID 2652 wrote to memory of 1652	2652	EXPL0RER.EXE	36
PID 2652 wrote to memory of 1652	2652	EXPL0RER.EXE	36
PID 2652 wrote to memory of 572	2652	EXPL0RER.EXE	37
PID 2652 wrote to memory of 572	2652	EXPL0RER.EXE	37
PID 2652 wrote to memory of 572	2652	EXPL0RER.EXE	37
PID 2652 wrote to memory of 572	2652	EXPL0RER.EXE	37
PID 572 wrote to memory of 3004	572	EXPL0RER.EXE	38
PID 572 wrote to memory of 3004	572	EXPL0RER.EXE	38
PID 572 wrote to memory of 3004	572	EXPL0RER.EXE	38
PID 572 wrote to memory of 3004	572	EXPL0RER.EXE	38
PID 572 wrote to memory of 3004	572	EXPL0RER.EXE	38
PID 572 wrote to memory of 3004	572	EXPL0RER.EXE	38
PID 572 wrote to memory of 3004	572	EXPL0RER.EXE	38
PID 572 wrote to memory of 2228	572	EXPL0RER.EXE	39
PID 572 wrote to memory of 2228	572	EXPL0RER.EXE	39
PID 572 wrote to memory of 2228	572	EXPL0RER.EXE	39
PID 572 wrote to memory of 2228	572	EXPL0RER.EXE	39
PID 2228 wrote to memory of 2176	2228	EXPL0RER.EXE	40
PID 2228 wrote to memory of 2176	2228	EXPL0RER.EXE	40
PID 2228 wrote to memory of 2176	2228	EXPL0RER.EXE	40
PID 2228 wrote to memory of 2176	2228	EXPL0RER.EXE	40
PID 2228 wrote to memory of 2176	2228	EXPL0RER.EXE	40
PID 2228 wrote to memory of 2176	2228	EXPL0RER.EXE	40
PID 2228 wrote to memory of 2176	2228	EXPL0RER.EXE	40
PID 2228 wrote to memory of 1060	2228	EXPL0RER.EXE	41
PID 2228 wrote to memory of 1060	2228	EXPL0RER.EXE	41

C:\Users\Admin\AppData\Local\Temp\c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c259e839c3bf1643faad6755dbb4a45b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2824
- C:\Windows\SysWOW64\EXPL0RER.EXE
  C:\Windows\system32\EXPL0RER.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
    3⤵
    - Loads dropped DLL
    PID:2600
- - C:\Windows\SysWOW64\EXPL0RER.EXE
    C:\Windows\system32\EXPL0RER.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:496
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
      4⤵
      Loads dropped DLL
      PID:2608
  - - C:\Windows\SysWOW64\EXPL0RER.EXE
      C:\Windows\system32\EXPL0RER.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        5⤵
        Loads dropped DLL
        
        PID:1652
    - - C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:572
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3004
      - C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        7⤵
        Loads dropped DLL
        
        PID:2176
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1060
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        8⤵
        Loads dropped DLL
        
        PID:2564
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:308
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        9⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1860
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        10⤵
        Loads dropped DLL
        
        PID:1452
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1944
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        11⤵
        Loads dropped DLL
        
        PID:2220
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2960
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        12⤵
        Loads dropped DLL
        
        PID:2360
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1624
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        14⤵
        Loads dropped DLL
        
        PID:872
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        15⤵
        Loads dropped DLL
        
        PID:1612
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:940
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        16⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2012
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        17⤵
        Loads dropped DLL
        
        PID:2972
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2520
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        18⤵
        Loads dropped DLL
        
        PID:2040
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2432
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        19⤵
        Loads dropped DLL
        
        PID:1804
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:868
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        20⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2720
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        21⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2824
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        22⤵
        Loads dropped DLL
        
        PID:2604
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        22⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        23⤵
        Loads dropped DLL
        
        PID:2576
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2588
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        24⤵
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        24⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        25⤵
        
        PID:548
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:296
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        26⤵
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        26⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        27⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2272
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        28⤵
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        28⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        29⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        29⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        30⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        30⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        31⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        31⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        32⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2412
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        33⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        33⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        34⤵
        
        PID:624
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        34⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        35⤵
        
        PID:976
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        35⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        36⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1728
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        37⤵
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        37⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        38⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        38⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        39⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1804
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        40⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        40⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        41⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        42⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        43⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:376
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        44⤵
        
        PID:548
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        44⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        45⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        45⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        47⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        47⤵
        Executes dropped EXE
        
        PID:1760
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        49⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        49⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        50⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        51⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        52⤵
        Modifies registry class
        
        PID:328
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        52⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1752
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        53⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1724
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        54⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        54⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        55⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        56⤵
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1592
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        57⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        57⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        58⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        59⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        60⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        60⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        61⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        61⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        62⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        62⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1768
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        63⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        63⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        64⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        64⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        65⤵
        
        PID:604
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        65⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2284
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        66⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        66⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        67⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        67⤵
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        68⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        68⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        69⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        69⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        70⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        70⤵
        Drops file in Windows directory
        
        PID:2788
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        71⤵
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        71⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        72⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        72⤵
        
        PID:484
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        73⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        73⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        74⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        74⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        75⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        75⤵
        Drops file in Windows directory
        
        PID:2676
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        76⤵
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        76⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        77⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        77⤵
        
        PID:856
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        78⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        78⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        79⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        79⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1532
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        80⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        81⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        81⤵
        Drops file in Windows directory
        
        PID:2396
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        82⤵
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        83⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        83⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        84⤵
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        84⤵
        
        PID:536
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        85⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        85⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        86⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        87⤵
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        87⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        88⤵
        
        PID:792
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        88⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        89⤵
        
        PID:448
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        89⤵
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        90⤵
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        90⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1716
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        91⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        91⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        92⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        92⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        93⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        93⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        94⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1492
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        95⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        95⤵
        Drops file in Windows directory
        
        PID:1776
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        96⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        96⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        97⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        97⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        98⤵
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        98⤵
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        99⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        99⤵
        
        PID:328
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        100⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        100⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        101⤵
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        101⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        102⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        102⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        103⤵
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        103⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        104⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        104⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        105⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        106⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        106⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        107⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        107⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1720
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        108⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        109⤵
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        109⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        110⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        110⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        111⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        111⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        112⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        112⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        113⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        113⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        114⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        114⤵
        Drops file in Windows directory
        
        PID:948
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        115⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        115⤵
        Drops file in Windows directory
        
        PID:1392
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        116⤵
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        116⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        117⤵
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        117⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        118⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        118⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        119⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        119⤵
        Drops file in Windows directory
        
        PID:2236
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        120⤵
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        120⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        121⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        122⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        123⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        123⤵
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        124⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        124⤵
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        125⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        125⤵
        
        PID:844
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        126⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        126⤵
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        127⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        127⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        128⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        128⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        129⤵
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        130⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        130⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        131⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        132⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        132⤵
        Drops file in System32 directory
        
        PID:588
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        133⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        133⤵
        Drops file in Windows directory
        
        PID:2120
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        134⤵
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        134⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        135⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        135⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        136⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        136⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        137⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        137⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        138⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        138⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        139⤵
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        139⤵
        Drops file in Windows directory
        
        PID:2900
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        140⤵
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        140⤵
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        141⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        141⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        142⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        142⤵
        Drops file in Windows directory
        
        PID:2748
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        143⤵
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        143⤵
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        144⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        144⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        145⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        145⤵
        
        PID:300
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        146⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        146⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        147⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        148⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        149⤵
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        149⤵
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        150⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        150⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        151⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        151⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2804
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        152⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        152⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        153⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        153⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        154⤵
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        154⤵
        Drops file in Windows directory
        
        PID:1712
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        155⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        155⤵
        Drops file in Windows directory
        
        PID:1764
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        156⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        156⤵
        Drops file in Windows directory
        
        PID:304
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        157⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        157⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        158⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        158⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        159⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        159⤵
        Drops file in Windows directory
        
        PID:548
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        160⤵
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        160⤵
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        161⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        161⤵
        Drops file in Windows directory
        
        PID:2512
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        162⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        162⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        163⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        163⤵
        
        PID:448
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        164⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        164⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        165⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        165⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        166⤵
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        166⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        167⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        167⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        168⤵
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        168⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        169⤵
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        169⤵
        Drops file in Windows directory
        
        PID:3008
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        170⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        170⤵
        Drops file in Windows directory
        
        PID:804
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        171⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        171⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        172⤵
        Modifies registry class
        
        PID:1572
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        172⤵
        Drops file in Windows directory
        
        PID:1560
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        173⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        173⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        174⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        174⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1600
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        175⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        175⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        176⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        176⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        177⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        177⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        178⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        179⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        179⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        180⤵
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        180⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        181⤵
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        181⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        182⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        182⤵
        Drops file in Windows directory
        
        PID:3040
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        183⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        183⤵
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        184⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        184⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        185⤵
        
        PID:792
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        185⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        186⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        187⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        187⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        188⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        188⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        189⤵
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        190⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        190⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        191⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        191⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        192⤵
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        192⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        193⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        193⤵
        Drops file in Windows directory
        
        PID:3548
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        194⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        194⤵
        Drops file in Windows directory
        
        PID:3608
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        195⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        195⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        196⤵
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        196⤵
        Drops file in System32 directory
        
        PID:3764
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        197⤵
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        198⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        198⤵
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        199⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        199⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        200⤵
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        200⤵
        Drops file in Windows directory
        
        PID:4000
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        201⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        201⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        202⤵
        
        PID:792
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        202⤵
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        203⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        203⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        204⤵
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        204⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        205⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        205⤵
        Drops file in Windows directory
        
        PID:3296
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        206⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        206⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        207⤵
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        207⤵
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        208⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        208⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        209⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        209⤵
        Drops file in Windows directory
        
        PID:3568
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        210⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        210⤵
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        211⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        211⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        212⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        212⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        213⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        213⤵
        Drops file in System32 directory
        
        PID:3852
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        214⤵
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        214⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        215⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        215⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        216⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        216⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        217⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        217⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        218⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        218⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        219⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        220⤵
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        220⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        221⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        221⤵
        Drops file in Windows directory
        
        PID:3396
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        222⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        222⤵
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        223⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        223⤵
        Drops file in Windows directory
        
        PID:3556
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        224⤵
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        224⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        225⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        225⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        226⤵
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        226⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        227⤵
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        227⤵
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        228⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        228⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        229⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        229⤵
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        230⤵
        
        PID:792
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        230⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        231⤵
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        231⤵
        Drops file in Windows directory
        
        PID:3184
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        232⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        232⤵
        Drops file in Windows directory
        
        PID:3276
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        233⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        233⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        234⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        234⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        235⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        235⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        236⤵
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        236⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        237⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        237⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        238⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        238⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        239⤵
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        239⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        240⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        240⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:3992
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        241⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        241⤵
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        242⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        242⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        243⤵
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        243⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        244⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        244⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        245⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        245⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        246⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        246⤵
        Drops file in Windows directory
        
        PID:3536
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        247⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        247⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        248⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        248⤵
        Drops file in Windows directory
        
        PID:3748
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        249⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        249⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        250⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        250⤵
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        251⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        251⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        252⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        252⤵
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        253⤵
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        253⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        254⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        254⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:3412
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        255⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        255⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        256⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        256⤵
        Drops file in Windows directory
        
        PID:3744
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        257⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        257⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        258⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        258⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        259⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        259⤵
        Drops file in Windows directory
        
        PID:3388
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        260⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        260⤵
        Drops file in Windows directory
        
        PID:3500
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        261⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        262⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        263⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        263⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        264⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        264⤵
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        265⤵
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        265⤵
        Drops file in Windows directory
        
        PID:3620
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        266⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        266⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        267⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        267⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        268⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        268⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        269⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        269⤵
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        270⤵
        
        PID:792
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        270⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        271⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:496
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32.exe /s C:\Windows\system32\SysModule64.DLL
        273⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\EXPL0RER.EXE
        
        C:\Windows\system32\EXPL0RER.EXE
        273⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        273⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        272⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        271⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        270⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        269⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        268⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        267⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        266⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        265⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        264⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        263⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        262⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        261⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        260⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        259⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        258⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        257⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        256⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        255⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        254⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        253⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        252⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:6936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        250⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        249⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        248⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        247⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        246⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        245⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        244⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        243⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        242⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        241⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        240⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        239⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        238⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        236⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        235⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        234⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        233⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        232⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        231⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:6604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        229⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        228⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        227⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        226⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        225⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        224⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        223⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        222⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        221⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        220⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        219⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        218⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        217⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        216⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        215⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        214⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        213⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        212⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        211⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        210⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        209⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        208⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        207⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        206⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        205⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        204⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        202⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        201⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        200⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        199⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        198⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        197⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        196⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        195⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        194⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        193⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        192⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        191⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        190⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        189⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        188⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        187⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        186⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        185⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        183⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        182⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        181⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        180⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        179⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        178⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        177⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        176⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        175⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        174⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        173⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        172⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        171⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        170⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        169⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        168⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        167⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        166⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        164⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        163⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        162⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        161⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        160⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        158⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        157⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        156⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        155⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        154⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        153⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        152⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        151⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        150⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        149⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        148⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        147⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        146⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        145⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        144⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        143⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        142⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        141⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        140⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        139⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        138⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        137⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        135⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        134⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        133⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        132⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        131⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        130⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        129⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        128⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        127⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        125⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        124⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        123⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        122⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        121⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        120⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        119⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        118⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        117⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        116⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        115⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        114⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        113⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        112⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        111⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        110⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        109⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        108⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        107⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        106⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        105⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        104⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        103⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        102⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        101⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        100⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        99⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        98⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        97⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        96⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        95⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        94⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        93⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        92⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        91⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        90⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        88⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        87⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        86⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        85⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        84⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        83⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        82⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        81⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        80⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        79⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        78⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        77⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        76⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        75⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        74⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        72⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        71⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        70⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        69⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        68⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        66⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        65⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        64⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        63⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        60⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 144
        59⤵
        Program crash
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        58⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        57⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        56⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        55⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        54⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        53⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        52⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        51⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        50⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        49⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        48⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        47⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        45⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        44⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        43⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        42⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        41⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        40⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        38⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        37⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        36⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        35⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        34⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        33⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        31⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        30⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        29⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        28⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        27⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        26⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        25⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        23⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        22⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        21⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        20⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        19⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        18⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        17⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        15⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        14⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        12⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        11⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        10⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        9⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        8⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        7⤵
        
        PID:3220
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        6⤵
        
        PID:4008
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\SysWOW64\$$336699.bat
        5⤵
        
        PID:3680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\SysWOW64\$$336699.bat
      4⤵
      PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\SysWOW64\$$336699.bat
    3⤵
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$336699.bat
  2⤵
  - Deletes itself
  PID:3600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6851392221748026633-867333460-50043751-189467294718346080912125119228-1055032048"
1⤵
PID:3932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-856993760861571441188447702-19708416421639513449374653449-20887336242136449075"
1⤵
PID:3696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1639649664167456069-283570096656609635-394412560-1484886853-16047807761535325435"
1⤵
PID:3120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1701007471-901366564-537674596317498708-19087786211041426650-1633135832168672634"
1⤵
PID:3892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2135951606-168869433-1196442260624795314-56766406740530715-32034664823873170"
1⤵
PID:2344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-346413330345603859-912495526-1877620678-1013699930-1533214480-16961342911177656813"
1⤵
PID:3132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1459687693-57415257957236260-1348649785-64636192413182829771317805731692766093"
1⤵
PID:3832

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "99609940318071748477287032492046470140-973906201-62982497796921989258381089"
1⤵
PID:1392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1033632005-1409826061620126549-993500562-1553994476-1922901061175987339-1941225867"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "841639094321085194-1408055411-13541651731480344311-288414774196177169543317771"
1⤵
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1192324486-436594626183271949681913763-1593553605-15031654641552579052-994862174"
1⤵
PID:1064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1721514725-1720166950210054649-118698156714967654221675739998-10588821291913634765"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-982472278-980024814-201924130240378445732841131720017316351263361503-224949456"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1246663879-19597412042333320841155402124161304815-33554142189947205-1091065618"
1⤵
PID:2516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1166929944-2015097220-582123188801248391588106089-6003644901709250931-2027784740"
1⤵
PID:1788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "386571060-72249386-1511844976-10279472667058672551052093105170434122401192"
1⤵
PID:2848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10486464211417862650685053503-1303310870-871684021-870671294-12155129631607683932"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14380778271530754586-187352140819328141571512644010-1187353146-2141454916-922807153"
1⤵
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "222514380-239659069159712741210275092921122972896-1744371572639011825-1659434054"
1⤵
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "600664089-1352539713-299696508-1427655182-1758287817-99010221-2360072505566859"
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1377108475-5848919331345060796-1465540555325009554-7360896691205165834-320197367"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1837357535-13469101-2095645191-1383767944-5054812-15107699401799998396691480142"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13776613692143641451-2000625635-88688940411621370147286165891796747440114593711"
1⤵
PID:5628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1028650659-1158402331367161861-366556789-21870109110412714831963829981-139213703"
1⤵
PID:3144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1744268904-938500738-355511779-7960806321687093332250970589-840933457-209078960"
1⤵
PID:3608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1779636953-34213990-1493044923-1840710125-1136249371-496519491-19428794-2118564281"
1⤵
PID:3296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11858403481697811672179185254-5314802421560748822-1735226908-1462857895499076679"
1⤵
PID:3920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1433789802-712933731998170951-475847583-7448515413458863683130370601007826904"
1⤵
PID:3168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1399634347976897281-155897148-331914431-877517052284310675-11010572421278592818"
1⤵
PID:3556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12919953419247437931080872924-1457386771-10042798971951446270-1550043014-580899366"
1⤵
PID:3252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-37904667-1526496638642378860-862508346-1333825427-1728198801-1479043702-547107593"
1⤵
PID:3908

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1263796973672965924-21101115472133681338534272073-1213265444693878083-1239643757"
1⤵
PID:3812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-50544875-4836026891854212233467207221287861542-10158842501072869568-2093216929"
1⤵
PID:3304

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1077834995-1679999806-191807679713412763848144902154116338981476711198429495428"
1⤵
PID:4084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "265313311559038382-1375072268-179030936-20597120317721719671270156910884828212"
1⤵
PID:3700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1418067122-442252156-1430050516188928645669577461992512147031410731569322432"
1⤵
PID:3732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3691651472227578959634239392068812563-2095537611-19700794061881781418-679171432"
1⤵
PID:3604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "763456832329609749-211077211750511769815936364771024645047997679062-615861928"
1⤵
PID:3952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1555306052-2049103060-9880498291031251177180047493597240513-20579465971743728227"
1⤵
PID:3744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1655842178-1249108491-166700065220850599908088897621134646509241911778-62709101"
1⤵
PID:3632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-105883056115464143111132526426209935541844521948144901030422553546107099120"
1⤵
PID:3536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1795027158-1267970782-11695439541216752922-636556134-1062284935205212612-576214644"
1⤵
PID:3864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-838730248325098160202240-2409680321289867596705009284-631607846-1151181818"
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$336699.bat

Filesize
259B

MD5
bf4ae4666931672ecb8a3fe3e60016c3

SHA1
5eb9361bc64b29c1db4aab55ba4e93b4f03682b5

SHA256
da8a0ce0ac63936d78ded3fc3571f478718935003caf096e030f8057300e27dc

SHA512
3180868a40686c360b351d5ad5117a36f2d91f53eccd1977ec415c9854429301db9f9ddfaf586cd7d83b69ec6e33d3ddacdfefd69b7823d0618cfaf38e9070bd

Download Submit
C:\Windows\SysWOW64\$$336699.bat

Filesize
141B

MD5
e3efc16ca26ae31f9885ee9549ff1f82

SHA1
4321f47a61712ffbbad7a39691359474db4b947c

SHA256
a03f261cc17b929ef96c2faeef03b77af3b62ab84bbb73a79beb84878b1bfa61

SHA512
f376e9be088782e394d21958bcdb5e7f00605b05290eff1320d64d5a76bfa619c260c8b5d971e7015bb118f0dd13ad73033f76e55b717611bc1a7d876f8e62ab

Download Submit
C:\Windows\SysWOW64\EXPL0RER.EXE

Filesize
68KB

MD5
c259e839c3bf1643faad6755dbb4a45b

SHA1
75fd37e261d3c8d515a2744f40b5eadf9971b630

SHA256
0d5c5897275433b4daba75341d4d31f09c864704b24a285d61120b1f89fa5073

SHA512
d3e07764f1add49ba6a26c78e010e1ec2ce55e546b476ad88301f34fa5dc362769b755b80e3e7c7d3656495f7201a023074e1a61bad69e3957ae5e3ad39d0d28

Download Submit
C:\Windows\SysWOW64\SysModule32.DLL

Filesize
49KB

MD5
edfd984bc81d1d61f8f15f86c836d937

SHA1
f8aa14f7ff4cc510e8e115e65d642e66cff024fc

SHA256
401201e517cf75a0a07e42982899c21935d3235dcfe2ddc437b1120173347fa2

SHA512
9aea310759b03450ef8ac4fe1c208b0a1de523cb4fbca5fceef1927d9643dbb4f3efe463c256181d3303fb3b0950b893093842ae60e1fafedbe008d894bf5232

Download Submit
C:\Windows\SysWOW64\SysModule64.DLL

Filesize
65KB

MD5
1cd2c8cd19fcb44ba7c880866e409f3f

SHA1
0d934e8a01c6e105e9a3ca9bbe43827a5ef7adcc

SHA256
c8697771d43714bb3c9ae68708f1924633a84f00feaa91e500135f0db3b41967

SHA512
543052a36d8db1ef12116bf0fe0e345b3146a29a1598b475563b3c55e237373c595199690171adfd2599626581b73f7a4ac40bdc0e64f52c96d61351bbac3792

Download Submit
memory/296-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/296-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/308-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/308-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/496-56-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/496-59-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/496-130-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/496-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/496-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-95-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/624-475-0x0000000001C90000-0x0000000001CA6000-memory.dmp

Filesize
88KB

Download
memory/868-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-246-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/940-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-488-0x0000000000100000-0x0000000000116000-memory.dmp

Filesize
88KB

Download
memory/1060-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-180-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/1228-245-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/1352-461-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download
memory/1364-543-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1364-502-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1364-553-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1420-489-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1420-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-425-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1488-968-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download
memory/1508-77-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1508-23-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1508-22-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1508-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-94-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1508-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-859-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1652-71-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/1656-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-514-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1728-566-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1728-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-500-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/1792-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-594-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-597-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1804-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-554-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1860-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-283-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1956-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-515-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/1968-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-462-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1976-463-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/1976-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-1092-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/2012-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-568-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2072-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-411-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/2176-107-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2188-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-175-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/2228-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-402-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2272-449-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2360-195-0x0000000000170000-0x0000000000186000-memory.dmp

Filesize
88KB

Download
memory/2360-476-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2360-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-322-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2452-448-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/2488-1151-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/2520-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-125-0x0000000000210000-0x0000000000226000-memory.dmp

Filesize
88KB

Download
memory/2588-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-320-0x00000000001E0000-0x00000000001F6000-memory.dmp

Filesize
88KB

Download
memory/2608-54-0x0000000000150000-0x0000000000166000-memory.dmp

Filesize
88KB

Download
memory/2612-580-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/2652-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-73-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2652-146-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2720-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-372-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2724-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-109-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2724-40-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2748-579-0x0000000000200000-0x0000000000216000-memory.dmp

Filesize
88KB

Download
memory/2824-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-15-0x0000000000130000-0x0000000000146000-memory.dmp

Filesize
88KB

Download
memory/2828-595-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2828-596-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2832-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-385-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2832-338-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2880-142-0x00000000007D0000-0x00000000007E6000-memory.dmp

Filesize
88KB

Download
memory/2880-1076-0x0000000000140000-0x0000000000156000-memory.dmp

Filesize
88KB

Download
memory/2896-798-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2960-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-197-0x0000000000540000-0x0000000000573000-memory.dmp

Filesize
204KB

Download
memory/2964-593-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2964-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-544-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2972-258-0x00000000001B0000-0x00000000001C6000-memory.dmp

Filesize
88KB

Download
memory/3004-90-0x00000000001A0000-0x00000000001B6000-memory.dmp

Filesize
88KB

Download
memory/3028-371-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/3060-1027-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download