543861a86e1b56d34fe5a10d398d52e8ee11d269dd997caa4de9ebbbe9903003

Analysis

max time kernel
68s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 06:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
Size

105KB
MD5

c864c1b4e17200be75086d4d83613afa
SHA1

fa0b12798269ef69600d70063567e3e6a006d75d
SHA256

543861a86e1b56d34fe5a10d398d52e8ee11d269dd997caa4de9ebbbe9903003
SHA512

66517de944283a83232de854e3db0cda7b784850da8ad1674526c2e572f1112fd0f7efeeb362fd1695c44f2d98e492eb1328ba6b79a66cf635ff78964b23d924
SSDEEP

1536:1U46qi9FOluMjC0CWGo/S1DWlDzEYPdrNMBUT/KqrEvAJNyTqJ:x6qeF8uOd3t/S1DeHJNMG2uEvAJNqa

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}\StubPath = "C:\\Windows\\system32\\windows.exe"	windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P0AD2-T29Y0-G62H8-0W417-M0F6N}	windows.exe

Executes dropped EXE 64 IoCs

pid	Process
2796	windows.exe
2548	windows.exe
2020	windows.exe
1768	windows.exe
2168	windows.exe
996	windows.exe
2708	windows.exe
2056	windows.exe
2976	windows.exe
2296	windows.exe
2224	windows.exe
2392	windows.exe
2116	windows.exe
2852	windows.exe
1592	windows.exe
1064	windows.exe
1996	windows.exe
1416	windows.exe
1308	windows.exe
2496	windows.exe
2080	windows.exe
2256	windows.exe
1888	windows.exe
1688	windows.exe
2780	windows.exe
2760	windows.exe
2544	windows.exe
2800	windows.exe
1412	windows.exe
2264	windows.exe
2160	windows.exe
2128	windows.exe
2876	windows.exe
1212	windows.exe
3056	windows.exe
2992	windows.exe
1208	windows.exe
1192	windows.exe
2196	windows.exe
1988	windows.exe
2828	windows.exe
760	windows.exe
2480	windows.exe
1048	windows.exe
1704	windows.exe
2248	windows.exe
2008	windows.exe
564	windows.exe
2316	windows.exe
1880	windows.exe
2908	windows.exe
1668	windows.exe
1888	windows.exe
1684	windows.exe
2896	windows.exe
2812	windows.exe
2684	windows.exe
2476	windows.exe
1768	windows.exe
2864	windows.exe
2588	windows.exe
2848	windows.exe
2756	windows.exe
3060	windows.exe

Loads dropped DLL 64 IoCs

pid	Process
2720	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
2720	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
2796	windows.exe
2548	windows.exe
2548	windows.exe
1768	windows.exe
1768	windows.exe
996	windows.exe
996	windows.exe
2056	windows.exe
2056	windows.exe
2296	windows.exe
2296	windows.exe
2392	windows.exe
2392	windows.exe
2852	windows.exe
2852	windows.exe
1064	windows.exe
1064	windows.exe
1416	windows.exe
1416	windows.exe
2496	windows.exe
2496	windows.exe
2256	windows.exe
2256	windows.exe
1688	windows.exe
1688	windows.exe
2760	windows.exe
2760	windows.exe
2800	windows.exe
2800	windows.exe
2264	windows.exe
2264	windows.exe
2128	windows.exe
2128	windows.exe
1212	windows.exe
1212	windows.exe
2992	windows.exe
2992	windows.exe
1192	windows.exe
1192	windows.exe
1988	windows.exe
1988	windows.exe
760	windows.exe
760	windows.exe
1048	windows.exe
1048	windows.exe
2248	windows.exe
2248	windows.exe
564	windows.exe
564	windows.exe
1880	windows.exe
1880	windows.exe
1668	windows.exe
1668	windows.exe
1684	windows.exe
1684	windows.exe
2812	windows.exe
2812	windows.exe
2476	windows.exe
2476	windows.exe
2864	windows.exe
2864	windows.exe
2848	windows.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\P0AD2-T29Y0-G62H8-0W = "C:\\Windows\\system32\\windows.exe"	windows.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	windows.exe
File created	C:\Windows\SysWOW64\windows.exe	windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
Token: SeDebugPrivilege	2660	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
Token: SeDebugPrivilege	2720	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
Token: SeDebugPrivilege	2720	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
Token: SeDebugPrivilege	2796	windows.exe
Token: SeDebugPrivilege	2796	windows.exe
Token: SeDebugPrivilege	2548	windows.exe
Token: SeDebugPrivilege	2548	windows.exe
Token: SeDebugPrivilege	2020	windows.exe
Token: SeDebugPrivilege	2020	windows.exe
Token: SeDebugPrivilege	1768	windows.exe
Token: SeDebugPrivilege	1768	windows.exe
Token: SeDebugPrivilege	2168	windows.exe
Token: SeDebugPrivilege	2168	windows.exe
Token: SeDebugPrivilege	996	windows.exe
Token: SeDebugPrivilege	996	windows.exe
Token: SeDebugPrivilege	2708	windows.exe
Token: SeDebugPrivilege	2708	windows.exe
Token: SeDebugPrivilege	2056	windows.exe
Token: SeDebugPrivilege	2056	windows.exe
Token: SeDebugPrivilege	2976	windows.exe
Token: SeDebugPrivilege	2976	windows.exe
Token: SeDebugPrivilege	2296	windows.exe
Token: SeDebugPrivilege	2296	windows.exe
Token: SeDebugPrivilege	2224	windows.exe
Token: SeDebugPrivilege	2224	windows.exe
Token: SeDebugPrivilege	2392	windows.exe
Token: SeDebugPrivilege	2392	windows.exe
Token: SeDebugPrivilege	2116	windows.exe
Token: SeDebugPrivilege	2116	windows.exe
Token: SeDebugPrivilege	2852	windows.exe
Token: SeDebugPrivilege	2852	windows.exe
Token: SeDebugPrivilege	1592	windows.exe
Token: SeDebugPrivilege	1592	windows.exe
Token: SeDebugPrivilege	1064	windows.exe
Token: SeDebugPrivilege	1064	windows.exe
Token: SeDebugPrivilege	1996	windows.exe
Token: SeDebugPrivilege	1996	windows.exe
Token: SeDebugPrivilege	1416	windows.exe
Token: SeDebugPrivilege	1416	windows.exe
Token: SeDebugPrivilege	1308	windows.exe
Token: SeDebugPrivilege	1308	windows.exe
Token: SeDebugPrivilege	2496	windows.exe
Token: SeDebugPrivilege	2496	windows.exe
Token: SeDebugPrivilege	2080	windows.exe
Token: SeDebugPrivilege	2080	windows.exe
Token: SeDebugPrivilege	2256	windows.exe
Token: SeDebugPrivilege	2256	windows.exe
Token: SeDebugPrivilege	1888	windows.exe
Token: SeDebugPrivilege	1888	windows.exe
Token: SeDebugPrivilege	1688	windows.exe
Token: SeDebugPrivilege	1688	windows.exe
Token: SeDebugPrivilege	2780	windows.exe
Token: SeDebugPrivilege	2780	windows.exe
Token: SeDebugPrivilege	2760	windows.exe
Token: SeDebugPrivilege	2760	windows.exe
Token: SeDebugPrivilege	2544	windows.exe
Token: SeDebugPrivilege	2544	windows.exe
Token: SeDebugPrivilege	2800	windows.exe
Token: SeDebugPrivilege	2800	windows.exe
Token: SeDebugPrivilege	1412	windows.exe
Token: SeDebugPrivilege	1412	windows.exe
Token: SeDebugPrivilege	2264	windows.exe
Token: SeDebugPrivilege	2264	windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2720	2660	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2720	2660	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2720	2660	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe	30
PID 2660 wrote to memory of 2720	2660	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe	30
PID 2720 wrote to memory of 2796	2720	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2796	2720	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2796	2720	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2796	2720	c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2548	2796	windows.exe	32
PID 2796 wrote to memory of 2548	2796	windows.exe	32
PID 2796 wrote to memory of 2548	2796	windows.exe	32
PID 2796 wrote to memory of 2548	2796	windows.exe	32
PID 2548 wrote to memory of 2020	2548	windows.exe	33
PID 2548 wrote to memory of 2020	2548	windows.exe	33
PID 2548 wrote to memory of 2020	2548	windows.exe	33
PID 2548 wrote to memory of 2020	2548	windows.exe	33
PID 2020 wrote to memory of 1768	2020	windows.exe	34
PID 2020 wrote to memory of 1768	2020	windows.exe	34
PID 2020 wrote to memory of 1768	2020	windows.exe	34
PID 2020 wrote to memory of 1768	2020	windows.exe	34
PID 1768 wrote to memory of 2168	1768	windows.exe	35
PID 1768 wrote to memory of 2168	1768	windows.exe	35
PID 1768 wrote to memory of 2168	1768	windows.exe	35
PID 1768 wrote to memory of 2168	1768	windows.exe	35
PID 2168 wrote to memory of 996	2168	windows.exe	36
PID 2168 wrote to memory of 996	2168	windows.exe	36
PID 2168 wrote to memory of 996	2168	windows.exe	36
PID 2168 wrote to memory of 996	2168	windows.exe	36
PID 996 wrote to memory of 2708	996	windows.exe	37
PID 996 wrote to memory of 2708	996	windows.exe	37
PID 996 wrote to memory of 2708	996	windows.exe	37
PID 996 wrote to memory of 2708	996	windows.exe	37
PID 2708 wrote to memory of 2056	2708	windows.exe	38
PID 2708 wrote to memory of 2056	2708	windows.exe	38
PID 2708 wrote to memory of 2056	2708	windows.exe	38
PID 2708 wrote to memory of 2056	2708	windows.exe	38
PID 2056 wrote to memory of 2976	2056	windows.exe	39
PID 2056 wrote to memory of 2976	2056	windows.exe	39
PID 2056 wrote to memory of 2976	2056	windows.exe	39
PID 2056 wrote to memory of 2976	2056	windows.exe	39
PID 2976 wrote to memory of 2296	2976	windows.exe	40
PID 2976 wrote to memory of 2296	2976	windows.exe	40
PID 2976 wrote to memory of 2296	2976	windows.exe	40
PID 2976 wrote to memory of 2296	2976	windows.exe	40
PID 2296 wrote to memory of 2224	2296	windows.exe	41
PID 2296 wrote to memory of 2224	2296	windows.exe	41
PID 2296 wrote to memory of 2224	2296	windows.exe	41
PID 2296 wrote to memory of 2224	2296	windows.exe	41
PID 2224 wrote to memory of 2392	2224	windows.exe	42
PID 2224 wrote to memory of 2392	2224	windows.exe	42
PID 2224 wrote to memory of 2392	2224	windows.exe	42
PID 2224 wrote to memory of 2392	2224	windows.exe	42
PID 2392 wrote to memory of 2116	2392	windows.exe	43
PID 2392 wrote to memory of 2116	2392	windows.exe	43
PID 2392 wrote to memory of 2116	2392	windows.exe	43
PID 2392 wrote to memory of 2116	2392	windows.exe	43
PID 2116 wrote to memory of 2852	2116	windows.exe	44
PID 2116 wrote to memory of 2852	2116	windows.exe	44
PID 2116 wrote to memory of 2852	2116	windows.exe	44
PID 2116 wrote to memory of 2852	2116	windows.exe	44
PID 2852 wrote to memory of 1592	2852	windows.exe	45
PID 2852 wrote to memory of 1592	2852	windows.exe	45
PID 2852 wrote to memory of 1592	2852	windows.exe	45
PID 2852 wrote to memory of 1592	2852	windows.exe	45

C:\Users\Admin\AppData\Local\Temp\c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c864c1b4e17200be75086d4d83613afa_JaffaCakes118.exe" /r
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\windows.exe
    "C:\Windows\system32\windows.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\windows.exe
      "C:\Windows\SysWOW64\windows.exe" /r
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        20⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        24⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        30⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        32⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        33⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        34⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2128
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        37⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        39⤵
        Executes dropped EXE
        
        PID:1208
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1192
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        41⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        43⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:760
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        45⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        47⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        48⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        49⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:564
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1880
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        53⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        54⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        55⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        57⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        58⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2812
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        59⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2476
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        61⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        62⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2864
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        65⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        66⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3060
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        68⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:1816
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        70⤵
        Adds Run key to start application
        
        PID:2120
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        71⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        72⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        73⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        74⤵
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        75⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        76⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        77⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        78⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        80⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2432
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        81⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        82⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        83⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        84⤵
        Adds Run key to start application
        
        PID:1576
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        85⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        86⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        87⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        88⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        90⤵
        Adds Run key to start application
        
        PID:2372
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        91⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        92⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        93⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        94⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        96⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1848
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        97⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        98⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        100⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        101⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        102⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        103⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        104⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        105⤵
        
        PID:872
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        106⤵
        Adds Run key to start application
        
        PID:336
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        107⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        108⤵
        
        PID:340
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        109⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        110⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1084
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        111⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        112⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        113⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        114⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        115⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        116⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        117⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        118⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:484
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        119⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        120⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        121⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        122⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        123⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        124⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        126⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        128⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        129⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        130⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        131⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        132⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        133⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        134⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        135⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        136⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        138⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        140⤵
        Adds Run key to start application
        
        PID:2324
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        142⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        143⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        144⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        145⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        146⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        147⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        148⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        150⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        151⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        152⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:2284
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        153⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        154⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        155⤵
        
        PID:316
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        156⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        158⤵
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        159⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        160⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        162⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        163⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        164⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:1700
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        166⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2972
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        167⤵
        
        PID:340
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        168⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        169⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        170⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        171⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        172⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        174⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2668
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        178⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        180⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        181⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        182⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1088
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        183⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        184⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        185⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        186⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1856
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        187⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        188⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        189⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        190⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        191⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        192⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        193⤵
        
        PID:836
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        194⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        196⤵
        
        PID:592
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        197⤵
        
        PID:764
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        198⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        200⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:2420
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        201⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        202⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2644
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        203⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        204⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:2000
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        205⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        206⤵
        Adds Run key to start application
        
        PID:2368
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        208⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        211⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        212⤵
        Adds Run key to start application
        
        PID:1088
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        213⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        214⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        215⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        216⤵
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        217⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        218⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        219⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        220⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        221⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        222⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:856
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        223⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        224⤵
        
        PID:844
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        226⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:340
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        227⤵
        
        PID:596
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        228⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:612
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        229⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        230⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2628
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        231⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        232⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2700
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        233⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        234⤵
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        235⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        236⤵
        Adds Run key to start application
        
        PID:1716
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        237⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        238⤵
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        239⤵
        System Location Discovery: System Language Discovery
        
        PID:996
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        240⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        242⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:1624
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        243⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        244⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        245⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        246⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        247⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        248⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        249⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        250⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1184
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        252⤵
        
        PID:496
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        253⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        254⤵
        Adds Run key to start application
        
        PID:2472
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        256⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        257⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        258⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        259⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        260⤵
        
        PID:936
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        261⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        262⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        263⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        264⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        265⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        266⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        267⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        268⤵
        
        PID:320
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        269⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        270⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        271⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        272⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        273⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        274⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        275⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        276⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        277⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        278⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        279⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        280⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        281⤵
        
        PID:836
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        282⤵
        
        PID:640
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        283⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        284⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        285⤵
        
        PID:844
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        286⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        287⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        288⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        289⤵
        
        PID:340
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        290⤵
        
        PID:896
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        291⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        292⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        293⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        294⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        295⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        296⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        297⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        298⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        299⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        300⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        301⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        302⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        303⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        304⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        305⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        306⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        307⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        308⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        309⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        310⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        311⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        312⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        313⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        314⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        315⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        316⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        317⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        318⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        319⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        320⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        321⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        322⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        323⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        324⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        325⤵
        
        PID:940
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        326⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        327⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        328⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        329⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        330⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        331⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        332⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        333⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        334⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        335⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        336⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        337⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        338⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        339⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        340⤵
        
        PID:316
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        341⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        342⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        343⤵
        
        PID:760
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        344⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        345⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        346⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        347⤵
        
        PID:676
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        348⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        349⤵
        
        PID:336
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        350⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        351⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        352⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        353⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        354⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        355⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        356⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        357⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        358⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        359⤵
        
        PID:936
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        360⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        361⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        362⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        363⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        364⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        365⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        366⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        367⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        368⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        369⤵
        
        PID:568
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        370⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        371⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        372⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        373⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        374⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        375⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        376⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        377⤵
        
        PID:760
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        378⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        379⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        380⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        381⤵
        
        PID:676
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        382⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        383⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        384⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        385⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        386⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        387⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        388⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        389⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        390⤵
        
        PID:948
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        391⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        392⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        393⤵
        
        PID:936
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        394⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        395⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        396⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        397⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        398⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        399⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        400⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        401⤵
        
        PID:908
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        402⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        403⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        404⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        405⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        406⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        407⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        408⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        409⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        410⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        411⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        412⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        413⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        414⤵
        
        PID:964
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        415⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        416⤵
        
        PID:640
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        417⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        418⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        419⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        420⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        421⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        422⤵
        
        PID:852
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        423⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        424⤵
        
        PID:612
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        425⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        426⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        427⤵
        
        PID:380
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        428⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        429⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        430⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        431⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        432⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        433⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        434⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        435⤵
        
        PID:908
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        436⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        437⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        438⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        439⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        440⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        441⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        442⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        443⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        444⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        445⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        446⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        447⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        448⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        449⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        450⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        451⤵
        
        PID:336
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        452⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        453⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        454⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        455⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        456⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        457⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        458⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        459⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        460⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        461⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        462⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        463⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        464⤵
        
        PID:832
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        465⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        466⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        467⤵
        
        PID:788
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        468⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        469⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        470⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        471⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        472⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        473⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        474⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        475⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        476⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        477⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        478⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        479⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        480⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        481⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        482⤵
        
        PID:496
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        483⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        484⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        485⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        486⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        487⤵
        
        PID:324
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        488⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        489⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        490⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        491⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        492⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        493⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        494⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        495⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        496⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        497⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        498⤵
        
        PID:832
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        499⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        500⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        501⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        502⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        503⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        504⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        505⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        506⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        507⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        508⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        509⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        510⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        511⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        512⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        513⤵
        
        PID:676
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        514⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        515⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        516⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        517⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        518⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        519⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        520⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        521⤵
        
        PID:324
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        522⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        523⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        524⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        525⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        526⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        527⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        528⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        529⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        530⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        531⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        532⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        533⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        534⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        535⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        536⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        537⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        538⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        539⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        540⤵
        
        PID:840
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        541⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        542⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        543⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        544⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        545⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        546⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        547⤵
        
        PID:676
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        548⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        549⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        550⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        551⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        552⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        553⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        554⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        555⤵
        
        PID:340
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        556⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        557⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        558⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        559⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        560⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        561⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\SysWOW64\windows.exe" /r
        562⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        563⤵
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windows.exe

Filesize
105KB

MD5
c864c1b4e17200be75086d4d83613afa

SHA1
fa0b12798269ef69600d70063567e3e6a006d75d

SHA256
543861a86e1b56d34fe5a10d398d52e8ee11d269dd997caa4de9ebbbe9903003

SHA512
66517de944283a83232de854e3db0cda7b784850da8ad1674526c2e572f1112fd0f7efeeb362fd1695c44f2d98e492eb1328ba6b79a66cf635ff78964b23d924

Download Submit
memory/564-114-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/760-108-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/996-32-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1048-110-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1064-66-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1192-104-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1208-103-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1212-100-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1308-75-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1412-95-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1416-73-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1592-62-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1668-118-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1684-120-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1688-90-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1704-111-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1768-125-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1768-25-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1880-116-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1888-89-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1888-119-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1988-106-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/1996-69-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2008-113-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2020-21-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2056-38-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2080-82-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2116-55-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2128-98-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2160-97-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2168-28-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2196-105-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2224-49-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2248-112-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2256-87-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2264-96-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2296-46-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2316-115-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2392-53-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2476-124-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2480-109-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2496-80-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2544-93-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2548-19-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2588-127-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2660-0-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2684-123-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2708-35-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2720-11-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2760-92-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2780-91-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2796-14-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2800-94-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2812-122-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2828-107-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2848-128-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2852-60-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2864-126-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2876-99-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2896-121-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2908-117-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2976-42-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/2992-102-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download
memory/3056-101-0x0000000020000000-0x0000000020023000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads