1273ef2078166c2434c57f1c52161083f4a062f3d88f6f6ab845d0374e734c17

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
Size

86KB
MD5

d64b9f6369b3d60162abfc46506bfa46
SHA1

b2cec7b66ba4abe9405b829e8a94111f861546d3
SHA256

1273ef2078166c2434c57f1c52161083f4a062f3d88f6f6ab845d0374e734c17
SHA512

7a2c11ec0651b1037c32f0f6216f318b2e174ac3eb9be47d7225af06c47a08c347635c194ef4f467ed210d627f66d491d88f11d5170b727728cf525e5c65a37b
SSDEEP

1536:PNiqmsQ71EgXp6pupktRsc//////UxNVki0ipzS6s7snLoLaUjYoCR3y:HaOy6pREc//////8NVMiRSOPcYoCR3y

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\d3dxof.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}	reg.exe

Executes dropped EXE 64 IoCs

pid	Process
4288	d3dxof.exe
1804	d3dxof.exe
964	d3dxof.exe
4532	d3dxof.exe
672	d3dxof.exe
644	d3dxof.exe
4652	d3dxof.exe
4208	d3dxof.exe
2148	d3dxof.exe
3952	d3dxof.exe
2668	d3dxof.exe
4704	d3dxof.exe
3600	d3dxof.exe
3104	d3dxof.exe
1476	d3dxof.exe
3472	d3dxof.exe
4412	d3dxof.exe
1004	d3dxof.exe
4368	d3dxof.exe
3608	d3dxof.exe
3476	d3dxof.exe
2280	d3dxof.exe
4604	d3dxof.exe
5036	d3dxof.exe
2688	d3dxof.exe
2628	d3dxof.exe
2580	d3dxof.exe
5100	d3dxof.exe
8	d3dxof.exe
4400	d3dxof.exe
4296	d3dxof.exe
3592	d3dxof.exe
1440	d3dxof.exe
4292	d3dxof.exe
3672	d3dxof.exe
2888	d3dxof.exe
3508	d3dxof.exe
3944	d3dxof.exe
2300	d3dxof.exe
1684	d3dxof.exe
1360	d3dxof.exe
4396	d3dxof.exe
2032	d3dxof.exe
4104	d3dxof.exe
3628	d3dxof.exe
4616	d3dxof.exe
1652	d3dxof.exe
4408	d3dxof.exe
3336	d3dxof.exe
4540	d3dxof.exe
1376	d3dxof.exe
4924	d3dxof.exe
1512	d3dxof.exe
1988	d3dxof.exe
3432	d3dxof.exe
3804	d3dxof.exe
772	d3dxof.exe
4164	d3dxof.exe
1424	d3dxof.exe
4524	d3dxof.exe
4400	d3dxof.exe
3628	d3dxof.exe
4556	d3dxof.exe
4804	d3dxof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\c_l5905.nls	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\d3dxof.exe	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File opened for modification	C:\Windows\SysWOW64\d3dxof.exe	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe
File created	C:\Windows\SysWOW64\_Setup.bat	d3dxof.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3dxof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
4288	d3dxof.exe
4288	d3dxof.exe
1804	d3dxof.exe
1804	d3dxof.exe
964	d3dxof.exe
964	d3dxof.exe
4532	d3dxof.exe
4532	d3dxof.exe
672	d3dxof.exe
672	d3dxof.exe
644	d3dxof.exe
644	d3dxof.exe
4652	d3dxof.exe
4652	d3dxof.exe
4208	d3dxof.exe
4208	d3dxof.exe
2148	d3dxof.exe
2148	d3dxof.exe
3952	d3dxof.exe
3952	d3dxof.exe
2668	d3dxof.exe
2668	d3dxof.exe
4704	d3dxof.exe
4704	d3dxof.exe
3600	d3dxof.exe
3600	d3dxof.exe
3104	d3dxof.exe
3104	d3dxof.exe
1476	d3dxof.exe
1476	d3dxof.exe
3472	d3dxof.exe
3472	d3dxof.exe
4412	d3dxof.exe
4412	d3dxof.exe
1004	d3dxof.exe
1004	d3dxof.exe
4368	d3dxof.exe
4368	d3dxof.exe
3608	d3dxof.exe
3608	d3dxof.exe
3476	d3dxof.exe
3476	d3dxof.exe
2280	d3dxof.exe
2280	d3dxof.exe
4604	d3dxof.exe
4604	d3dxof.exe
5036	d3dxof.exe
5036	d3dxof.exe
2688	d3dxof.exe
2688	d3dxof.exe
2628	d3dxof.exe
2628	d3dxof.exe
2580	d3dxof.exe
2580	d3dxof.exe
5100	d3dxof.exe
5100	d3dxof.exe
8	d3dxof.exe
8	d3dxof.exe
4400	d3dxof.exe
4400	d3dxof.exe
4296	d3dxof.exe
4296	d3dxof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4716	2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	83
PID 2444 wrote to memory of 4716	2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	83
PID 2444 wrote to memory of 4716	2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	83
PID 4716 wrote to memory of 1756	4716	cmd.exe	86
PID 4716 wrote to memory of 1756	4716	cmd.exe	86
PID 4716 wrote to memory of 1756	4716	cmd.exe	86
PID 4716 wrote to memory of 3132	4716	cmd.exe	87
PID 4716 wrote to memory of 3132	4716	cmd.exe	87
PID 4716 wrote to memory of 3132	4716	cmd.exe	87
PID 2444 wrote to memory of 3040	2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	90
PID 2444 wrote to memory of 3040	2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	90
PID 2444 wrote to memory of 3040	2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	90
PID 2444 wrote to memory of 4288	2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	91
PID 2444 wrote to memory of 4288	2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	91
PID 2444 wrote to memory of 4288	2444	d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe	91
PID 4288 wrote to memory of 2888	4288	d3dxof.exe	93
PID 4288 wrote to memory of 2888	4288	d3dxof.exe	93
PID 4288 wrote to memory of 2888	4288	d3dxof.exe	93
PID 2888 wrote to memory of 2328	2888	cmd.exe	95
PID 2888 wrote to memory of 2328	2888	cmd.exe	95
PID 2888 wrote to memory of 2328	2888	cmd.exe	95
PID 2888 wrote to memory of 2420	2888	cmd.exe	96
PID 2888 wrote to memory of 2420	2888	cmd.exe	96
PID 2888 wrote to memory of 2420	2888	cmd.exe	96
PID 4288 wrote to memory of 1804	4288	d3dxof.exe	97
PID 4288 wrote to memory of 1804	4288	d3dxof.exe	97
PID 4288 wrote to memory of 1804	4288	d3dxof.exe	97
PID 1804 wrote to memory of 3024	1804	d3dxof.exe	98
PID 1804 wrote to memory of 3024	1804	d3dxof.exe	98
PID 1804 wrote to memory of 3024	1804	d3dxof.exe	98
PID 3024 wrote to memory of 1928	3024	cmd.exe	100
PID 3024 wrote to memory of 1928	3024	cmd.exe	100
PID 3024 wrote to memory of 1928	3024	cmd.exe	100
PID 3024 wrote to memory of 4728	3024	cmd.exe	101
PID 3024 wrote to memory of 4728	3024	cmd.exe	101
PID 3024 wrote to memory of 4728	3024	cmd.exe	101
PID 1804 wrote to memory of 964	1804	d3dxof.exe	102
PID 1804 wrote to memory of 964	1804	d3dxof.exe	102
PID 1804 wrote to memory of 964	1804	d3dxof.exe	102
PID 964 wrote to memory of 1764	964	d3dxof.exe	103
PID 964 wrote to memory of 1764	964	d3dxof.exe	103
PID 964 wrote to memory of 1764	964	d3dxof.exe	103
PID 1764 wrote to memory of 4236	1764	cmd.exe	105
PID 1764 wrote to memory of 4236	1764	cmd.exe	105
PID 1764 wrote to memory of 4236	1764	cmd.exe	105
PID 1764 wrote to memory of 3976	1764	cmd.exe	106
PID 1764 wrote to memory of 3976	1764	cmd.exe	106
PID 1764 wrote to memory of 3976	1764	cmd.exe	106
PID 964 wrote to memory of 4532	964	d3dxof.exe	107
PID 964 wrote to memory of 4532	964	d3dxof.exe	107
PID 964 wrote to memory of 4532	964	d3dxof.exe	107
PID 4532 wrote to memory of 3756	4532	d3dxof.exe	108
PID 4532 wrote to memory of 3756	4532	d3dxof.exe	108
PID 4532 wrote to memory of 3756	4532	d3dxof.exe	108
PID 3756 wrote to memory of 2808	3756	cmd.exe	110
PID 3756 wrote to memory of 2808	3756	cmd.exe	110
PID 3756 wrote to memory of 2808	3756	cmd.exe	110
PID 3756 wrote to memory of 2980	3756	cmd.exe	111
PID 3756 wrote to memory of 2980	3756	cmd.exe	111
PID 3756 wrote to memory of 2980	3756	cmd.exe	111
PID 4532 wrote to memory of 672	4532	d3dxof.exe	114
PID 4532 wrote to memory of 672	4532	d3dxof.exe	114
PID 4532 wrote to memory of 672	4532	d3dxof.exe	114
PID 672 wrote to memory of 4680	672	d3dxof.exe	115

C:\Users\Admin\AppData\Local\Temp\d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d64b9f6369b3d60162abfc46506bfa46_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
    3⤵
    PID:3132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\_deleteme.bat
  2⤵
  PID:3040
- C:\Windows\SysWOW64\d3dxof.exe
  C:\Windows\system32\d3dxof.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2420
- - C:\Windows\SysWOW64\d3dxof.exe
    C:\Windows\system32\d3dxof.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3024
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1928
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        5⤵
        
        PID:4728
  - - C:\Windows\SysWOW64\d3dxof.exe
      C:\Windows\system32\d3dxof.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4236
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        6⤵
        
        PID:3976
    - - C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        7⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        7⤵
        
        PID:2980
      - C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        7⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        8⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        8⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        9⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        10⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        10⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        10⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        11⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        11⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        11⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        12⤵
        
        PID:316
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        12⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        13⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        13⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        14⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        14⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        15⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        15⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        16⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        16⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        17⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        17⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        17⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        18⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        18⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        19⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        19⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        19⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        20⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        20⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        20⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        21⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        21⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        22⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        22⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        22⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        23⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        23⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        23⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        24⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        24⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        24⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        25⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        25⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        26⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        26⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        27⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        27⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        28⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        28⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        28⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        29⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        29⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        29⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        30⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        30⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        30⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        31⤵
        
        PID:672
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        32⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        32⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        32⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        33⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        33⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        33⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        34⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        33⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        35⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        35⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        34⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        35⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        36⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        36⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        37⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        37⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        38⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        38⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        38⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        39⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        39⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        39⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        40⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        40⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        41⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        41⤵
        
        PID:368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        42⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        42⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        43⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        43⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        42⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        43⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        44⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        44⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        44⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        45⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        45⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        44⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        45⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        46⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        46⤵
        
        PID:8
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        45⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        46⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        47⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        47⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        47⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        48⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        48⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        48⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        49⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        49⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        48⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        49⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        50⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        50⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        49⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        50⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        51⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        51⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        51⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        52⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        52⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        51⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        52⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        53⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        52⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        53⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        54⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        54⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        53⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        54⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        55⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        55⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        55⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        56⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        56⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        57⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        57⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        57⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        58⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        58⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        58⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        59⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        59⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        58⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        59⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        60⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        60⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        59⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        60⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        61⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        61⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        60⤵
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        61⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        62⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        62⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        61⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        62⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        63⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        63⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        63⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        64⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        64⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        63⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        64⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        65⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        65⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        65⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        66⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        66⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        66⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        67⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        66⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        67⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        68⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        68⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        67⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        68⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        69⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        69⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        69⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        70⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        70⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        69⤵
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        70⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        71⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        71⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        70⤵
        Drops file in System32 directory
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        71⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        72⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        71⤵
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        73⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        73⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        72⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        73⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        74⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        74⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        73⤵
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        74⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        75⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1640
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        75⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        74⤵
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        75⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        76⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        76⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        75⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        76⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        77⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        77⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        76⤵
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        77⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        78⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        78⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        77⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        78⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        79⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        79⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        78⤵
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        79⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        80⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        79⤵
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        80⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        81⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        81⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        81⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        82⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        82⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        81⤵
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        83⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        83⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        83⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        84⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        83⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        84⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        85⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        85⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        84⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        85⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        86⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        86⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        85⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        87⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        87⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        86⤵
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        87⤵
        
        PID:972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        88⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        88⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        87⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        89⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        89⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        88⤵
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        89⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        90⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        89⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        91⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        90⤵
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        92⤵
        
        PID:732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        92⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        91⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        92⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        93⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        93⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        92⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        93⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        94⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        94⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        93⤵
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        94⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        95⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        95⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        96⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        96⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        95⤵
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        96⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        97⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        96⤵
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        97⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        98⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        98⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        97⤵
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        98⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        99⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        99⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        98⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        99⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        100⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        100⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        100⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        101⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        101⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        100⤵
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        101⤵
        
        PID:760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        102⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        101⤵
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        102⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        103⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        103⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        102⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        104⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        103⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        104⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        105⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        105⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        104⤵
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        105⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        106⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:1144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        106⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        105⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        106⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        107⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        106⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        107⤵
        
        PID:740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        108⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        107⤵
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        108⤵
        
        PID:840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        109⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        108⤵
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        109⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        110⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        110⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        109⤵
        Drops file in System32 directory
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        110⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        111⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        111⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        110⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        111⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        112⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        112⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\d3dxof.exe
        
        C:\Windows\system32\d3dxof.exe
        111⤵
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\_Setup.bat
        112⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\d3dxof.exe /i" /f
        113⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{1CB0B7F9-DC3A-6C1D-4390-CB5CED2E9EBD}" /f
        113⤵
        
        PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\_Setup.bat

Filesize
352B

MD5
39da6288a067d15e30993c9381f613b6

SHA1
345519157d7a12bf79c16cb016cb02fd0351ec77

SHA256
9111d49e001f4a90aeb5fbe62e627966e0b2b3c51b5188f854e324069c5a3f5a

SHA512
bab16132b3e6e02ec4015b1007d7a7de7c871f29625881691618f8a36d3f71accf8ed41ae013ebe403fb071b25dcb973f512f04f90d1e5dbfe32211580eb108b

Download Submit
C:\Windows\SysWOW64\_deleteme.bat

Filesize
212B

MD5
6079a7a2e41c553c0175e6eb63f9574a

SHA1
74e75f864f7513396c0ffedafe2a0416ec8339d0

SHA256
9063f0e98ba50b5a9fe574b2994bc494a5e74cfe86a52065e446fe4d9d9d39ef

SHA512
13ed793a9c54e631e1564bd6aa29c4017110ce5481229fb69172098cb4c98d1cd6d74b74697398dbdee853ccc94efb7d0908192207ff5fb3d9eae9a414871aa0

Download Submit
C:\Windows\SysWOW64\c_l5905.nls

Filesize
978B

MD5
2555e727335649a6544999bd3572ab73

SHA1
a0f7556f5990bfcd0922a034c4e117b19e15d19a

SHA256
908db05801c57c0330e2df66fce23e75268dd54daf294c575a2e62f9caac07dc

SHA512
7992be3200a7c8fb267cbc23c2751f059835e35b827e0e7e181ff8c670afd310b0491322d0697ac2d48e2ba51aac36f919e4a5386d070d3b3b9ec87f0caf1ccb

Download Submit
C:\Windows\SysWOW64\d3dxof.exe

Filesize
86KB

MD5
d64b9f6369b3d60162abfc46506bfa46

SHA1
b2cec7b66ba4abe9405b829e8a94111f861546d3

SHA256
1273ef2078166c2434c57f1c52161083f4a062f3d88f6f6ab845d0374e734c17

SHA512
7a2c11ec0651b1037c32f0f6216f318b2e174ac3eb9be47d7225af06c47a08c347635c194ef4f467ed210d627f66d491d88f11d5170b727728cf525e5c65a37b

Download Submit
memory/8-158-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/644-43-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/672-38-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/772-243-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/964-28-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1004-103-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1360-195-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1376-225-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1424-249-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1440-171-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1476-88-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1512-231-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1652-213-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1684-192-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1804-23-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/1988-234-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2032-201-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2148-58-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2280-123-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2300-189-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2444-10-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2580-148-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2628-143-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2668-68-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2688-138-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/2888-180-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3104-83-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3336-219-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3432-237-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3472-93-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3476-118-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3508-183-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3592-168-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3600-78-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3608-113-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3628-258-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3628-207-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3672-177-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3804-240-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3944-186-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/3952-63-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4104-204-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4164-246-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4208-53-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4288-18-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4292-174-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4296-165-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4368-108-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4396-198-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4400-162-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4400-255-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4408-216-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4412-98-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4524-252-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4532-33-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4540-222-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4556-261-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4604-128-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4616-210-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4652-48-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4704-73-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/4924-228-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/5036-133-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download
memory/5100-153-0x0000000000010000-0x000000000002C000-memory.dmp

Filesize
112KB

Download