01b522c0189a3459677787b349dcecfad137c5dca65790243f81d3fa74c08fc8

Analysis

max time kernel
150s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9c3068ecc101d7ed3bcd5ce9244fa3e_JaffaCakes118.exe
Size

400KB
MD5

e9c3068ecc101d7ed3bcd5ce9244fa3e
SHA1

98b98e4aa60fe06d58c093ec04904183abacda9f
SHA256

01b522c0189a3459677787b349dcecfad137c5dca65790243f81d3fa74c08fc8
SHA512

3e2f5df6e5c606773ece995528e56a3b46eda58a2acd6a4bc22ce111796384af3e92e56039331af793fad3ce437be23a7eb1a5d3d1ab2f7ea555f2184d6f8e82
SSDEEP

12288:uE4J9sOYhv3zMs+WdjhIAD2IUFuvyHJ15cR:uEQqO5s+YJu

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe "	regedit.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	e9c3068ecc101d7ed3bcd5ce9244fa3e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	appttt.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	appttt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Runs .reg file with regedit 64 IoCs

pid	Process
3916	regedit.exe
2260	regedit.exe
2356	regedit.exe
3380	regedit.exe
1208	regedit.exe
1304	regedit.exe
3264	regedit.exe
1248	regedit.exe
3192	regedit.exe
2336	regedit.exe
928	regedit.exe
2360	regedit.exe
2384	regedit.exe
632	regedit.exe
4196	regedit.exe
220	regedit.exe
2316	regedit.exe
2036	regedit.exe
1784	regedit.exe
4148	regedit.exe
880	regedit.exe
4260	regedit.exe
4736	regedit.exe
316	regedit.exe
4692	regedit.exe
2152	regedit.exe
4632	regedit.exe
2800	regedit.exe
1948	regedit.exe
216	regedit.exe
4036	regedit.exe
3044	regedit.exe
4764	regedit.exe
4472	regedit.exe
4744	regedit.exe
4500	regedit.exe
1556	regedit.exe
772	regedit.exe
4552	regedit.exe
4424	regedit.exe
2276	regedit.exe
516	regedit.exe
4408	regedit.exe
2276	regedit.exe
3872	regedit.exe
2020	regedit.exe
1768	regedit.exe
4244	regedit.exe
4836	regedit.exe
2064	regedit.exe
840	regedit.exe
4988	regedit.exe
1612	regedit.exe
944	regedit.exe
392	regedit.exe
4812	regedit.exe
2260	regedit.exe
1148	regedit.exe
3696	regedit.exe
1240	regedit.exe
2720	regedit.exe
1976	regedit.exe
5064	regedit.exe
1928	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4648	appttt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 4648	3552	e9c3068ecc101d7ed3bcd5ce9244fa3e_JaffaCakes118.exe	82
PID 3552 wrote to memory of 4648	3552	e9c3068ecc101d7ed3bcd5ce9244fa3e_JaffaCakes118.exe	82
PID 3552 wrote to memory of 4648	3552	e9c3068ecc101d7ed3bcd5ce9244fa3e_JaffaCakes118.exe	82
PID 4648 wrote to memory of 1564	4648	appttt.exe	83
PID 4648 wrote to memory of 1564	4648	appttt.exe	83
PID 4648 wrote to memory of 1564	4648	appttt.exe	83
PID 4648 wrote to memory of 4552	4648	appttt.exe	84
PID 4648 wrote to memory of 4552	4648	appttt.exe	84
PID 4648 wrote to memory of 4552	4648	appttt.exe	84
PID 4648 wrote to memory of 1188	4648	appttt.exe	85
PID 4648 wrote to memory of 1188	4648	appttt.exe	85
PID 4648 wrote to memory of 1188	4648	appttt.exe	85
PID 4648 wrote to memory of 4636	4648	appttt.exe	86
PID 4648 wrote to memory of 4636	4648	appttt.exe	86
PID 4648 wrote to memory of 4636	4648	appttt.exe	86
PID 4648 wrote to memory of 4904	4648	appttt.exe	87
PID 4648 wrote to memory of 4904	4648	appttt.exe	87
PID 4648 wrote to memory of 4904	4648	appttt.exe	87
PID 4648 wrote to memory of 3080	4648	appttt.exe	88
PID 4648 wrote to memory of 3080	4648	appttt.exe	88
PID 4648 wrote to memory of 3080	4648	appttt.exe	88
PID 4648 wrote to memory of 1396	4648	appttt.exe	89
PID 4648 wrote to memory of 1396	4648	appttt.exe	89
PID 4648 wrote to memory of 1396	4648	appttt.exe	89
PID 4648 wrote to memory of 1148	4648	appttt.exe	90
PID 4648 wrote to memory of 1148	4648	appttt.exe	90
PID 4648 wrote to memory of 1148	4648	appttt.exe	90
PID 4648 wrote to memory of 752	4648	appttt.exe	93
PID 4648 wrote to memory of 752	4648	appttt.exe	93
PID 4648 wrote to memory of 752	4648	appttt.exe	93
PID 4648 wrote to memory of 220	4648	appttt.exe	94
PID 4648 wrote to memory of 220	4648	appttt.exe	94
PID 4648 wrote to memory of 220	4648	appttt.exe	94
PID 4648 wrote to memory of 4732	4648	appttt.exe	95
PID 4648 wrote to memory of 4732	4648	appttt.exe	95
PID 4648 wrote to memory of 4732	4648	appttt.exe	95
PID 4648 wrote to memory of 944	4648	appttt.exe	96
PID 4648 wrote to memory of 944	4648	appttt.exe	96
PID 4648 wrote to memory of 944	4648	appttt.exe	96
PID 4648 wrote to memory of 4548	4648	appttt.exe	99
PID 4648 wrote to memory of 4548	4648	appttt.exe	99
PID 4648 wrote to memory of 4548	4648	appttt.exe	99
PID 4648 wrote to memory of 3452	4648	appttt.exe	100
PID 4648 wrote to memory of 3452	4648	appttt.exe	100
PID 4648 wrote to memory of 3452	4648	appttt.exe	100
PID 4648 wrote to memory of 1472	4648	appttt.exe	101
PID 4648 wrote to memory of 1472	4648	appttt.exe	101
PID 4648 wrote to memory of 1472	4648	appttt.exe	101
PID 4648 wrote to memory of 3744	4648	appttt.exe	102
PID 4648 wrote to memory of 3744	4648	appttt.exe	102
PID 4648 wrote to memory of 3744	4648	appttt.exe	102
PID 4648 wrote to memory of 4192	4648	appttt.exe	103
PID 4648 wrote to memory of 4192	4648	appttt.exe	103
PID 4648 wrote to memory of 4192	4648	appttt.exe	103
PID 4648 wrote to memory of 1560	4648	appttt.exe	104
PID 4648 wrote to memory of 1560	4648	appttt.exe	104
PID 4648 wrote to memory of 1560	4648	appttt.exe	104
PID 4648 wrote to memory of 1692	4648	appttt.exe	105
PID 4648 wrote to memory of 1692	4648	appttt.exe	105
PID 4648 wrote to memory of 1692	4648	appttt.exe	105
PID 4648 wrote to memory of 2800	4648	appttt.exe	106
PID 4648 wrote to memory of 2800	4648	appttt.exe	106
PID 4648 wrote to memory of 2800	4648	appttt.exe	106
PID 4648 wrote to memory of 4024	4648	appttt.exe	107

C:\Users\Admin\AppData\Local\Temp\e9c3068ecc101d7ed3bcd5ce9244fa3e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9c3068ecc101d7ed3bcd5ce9244fa3e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Users\Admin\AppData\Local\Temp\appttt.exe
  "C:\Users\Admin\AppData\Local\Temp\appttt.exe" "C:\Users\Admin\AppData\Local\Temp\e9c3068ecc101d7ed3bcd5ce9244fa3e_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4636
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4904
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1148
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:220
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:944
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4192
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2800
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4024
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3696
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4964
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:1304
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4376
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4424
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:896
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:892
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2316
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    - Runs .reg file with regedit
    PID:1948
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:448
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:8
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1308
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4276
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4708
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:64
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:512
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:32
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:840
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:3324
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:5056
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:4636
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:1672
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1768
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:1396
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:220
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:4580
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:944
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:464
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:5064
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:932
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2276
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:756
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:1732
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1304
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4880
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:928
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:516
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1492
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:720
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2384
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4408
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:1020
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:3768
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4764
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2360
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4472
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:644
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:468
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:116
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:220
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4816
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:216
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2036
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1208
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1304
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1240
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:392
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2600
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3364
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:3556
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2684
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3264
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4304
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    - Runs .reg file with regedit
    PID:4744
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:880
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2384
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4108
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:680
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:748
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:632
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:64
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3400
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4500
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3552
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:3100
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4148
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1248
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:1004
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4140
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3916
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2828
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4664
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:464
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4520
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5064
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:216
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:796
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3872
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4036
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2064
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1208
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4260
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4988
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3192
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:224
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1612
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:2236
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:960
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1928
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4692
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4244
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:876
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4992
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    - Runs .reg file with regedit
    PID:1976
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2720
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:316
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:592
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:5020
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4484
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:840
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3100
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:1892
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:3080
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:468
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2260
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:424
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:944
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3708
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:932
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2356
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4736
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:756
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4436
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:1208
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:3748
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4572
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2000
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:392
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3044
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:3084
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1052
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5088
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1332
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:448
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:3380
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:3048
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1784
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    - Runs .reg file with regedit
    PID:4836
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:32
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:592
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:384
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4148
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3692
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:628
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4812
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:752
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:456
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:4196
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4364
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:464
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:368
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2356
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2276
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:796
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1456
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1556
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2000
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4976
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:3756
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:264
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:772
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:1948
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:60
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4692
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:632
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:3400
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4504
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3856
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4136
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4768
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4224
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:852
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1680
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:4552
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2952
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4912
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3564
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2020
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1096
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:644
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2260
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    - System Location Discovery: System Language Discovery
    PID:4512
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1736
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2336
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4116
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4548
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:5064
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4040
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2152
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2132
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:2064
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:2232
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4588
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:180
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4608
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:1368
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Modifies WinLogon for persistence
    PID:4444
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:736
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4632
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "\qwe.reg"
    3⤵
    PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\appttt.exe

Filesize
400KB

MD5
e9c3068ecc101d7ed3bcd5ce9244fa3e

SHA1
98b98e4aa60fe06d58c093ec04904183abacda9f

SHA256
01b522c0189a3459677787b349dcecfad137c5dca65790243f81d3fa74c08fc8

SHA512
3e2f5df6e5c606773ece995528e56a3b46eda58a2acd6a4bc22ce111796384af3e92e56039331af793fad3ce437be23a7eb1a5d3d1ab2f7ea555f2184d6f8e82

Download Submit
C:\qwe.reg

Filesize
139B

MD5
b9af5bf99ed31e8187584ea6664a9f08

SHA1
bf7625d266b87543a6ff1c61366149971f7652db

SHA256
24f1d765172284494e50fcc81bc6d8e33b82ac3cdd05a6a1e539a7cd820910c8

SHA512
4e772a0ddb042558638d8040f408fdedf9debd409bba403d1a9bc89f0fd8150d8690bcfcbb1d3ffde502d83e558393b525ef1bffdd6e96bd16beddd9c1dde9e2

Download Submit
C:\qwe.reg

Filesize
556B

MD5
16e1a2956c8700e3dbfcf6ad13c27ef0

SHA1
0c9130de1b0e8b85f5c1bc2a4fa413fe08000101

SHA256
e786f977c837bfa57812c46019f135b26ef4410977b629759eaab6645e7518d6

SHA512
02b61b58aadbdb2063fd8741a4b3ff47add0d6736d880b4b28c440a9cb890ee0172eb7d8b6102084cdb5a2381d2291611cc2314676247fafc1173e7247dd7219

Download Submit
C:\qwe.reg

Filesize
973B

MD5
d0493e69c45f6c95cae651c18bc73def

SHA1
6cad227d4495aabb39a102d7a13a6245231f6c93

SHA256
1ed04f824ab46944e82f5267f9b54c1a4529d9b2aedcb30738400f7c8d7b75c6

SHA512
0fc6b14421e4fe221eeaf4b57c08e892cf25b94f93591dcecc98d908bfe51d73e4c6bef3a6dea0243a93b028db1ced93f73b75a48b7df94562e016b66fdbc947

Download Submit
C:\qwe.reg

Filesize
1KB

MD5
2a1c4def34e6ecabe3a9e273a5367413

SHA1
c38d7234cf41ee1777551e4b50d811bc4d34ee42

SHA256
f8939f2125da7f3aed54fc9b9754af981bcc30ad286613fe171d2b3fc145c387

SHA512
8c958a80c96d42aeb40e90de9e76503978e95b521f61c7f45cd092cb5d525d8d1e9621b3098aae484723e0279474ee2a910d14022e6bff9b42810f1ea0b8e549

Download Submit
C:\qwe.reg

Filesize
1KB

MD5
4bad08cbf2ff033ff747b56b230e7d5d

SHA1
341f0b2bd6543f310aa05b9026657f78e6271418

SHA256
0d3874fa323064f6885d93a61a3350ed8e20fb5fca30393f7040fbd0e7ebb6a6

SHA512
f62c2cb81b5344270a6156260b85011ae53b708220ccb71bcb072af1bccae109ddd832bfa02946911c36ebfc57475dce6e65866117515cd1e7ca865b7c0903ac

Download Submit
C:\qwe.reg

Filesize
1KB

MD5
3263651e2d51430954e64c746c899eb2

SHA1
083437d7ed28f23ef9e8901c9a81495a1919b37b

SHA256
1abf3f939cc453e1a607d5a5b921391d51db724cfdb088f1969a84cc3d4bebcd

SHA512
1d0d591ae12510e739db16c6fa4cf66a2873076f2c101c9214b939f4a488751e5a4e46f5436168fcdb5e573cd62f20987d4638b4402269c5153813313863bda1

Download Submit
C:\qwe.reg

Filesize
3KB

MD5
4247e61c9dff97329a692f9143c108ec

SHA1
40cf72fac5a6ba233a2242aa68fca473a0f949da

SHA256
acc57650640e83cbf3dd66b31adca278027df63d672dad4ccd79c6d078561c79

SHA512
93142e5f823e37d554a23dfdfa0bca02b74164d86bc10ba2cf3e36eb38a62040991948810ba9b18f47415b64fde3e2b14e7f6e7e41e9d6eaa01c57d9c236c362

Download Submit
C:\qwe.reg

Filesize
4KB

MD5
b89f5d391dfc08cc1758e486545d148a

SHA1
7984ba47da4156a73d806daaee80e3031fe3f24f

SHA256
05bf93cb5d2886a1126488848bf887dd1ab51c67f198e3c59a4bdc7f79b69bb7

SHA512
a7746ff49c76a8c689d8fede4a05714499942082e28704cf9bbb0c646049743425eb402e3ce492ca860c57bfca6b914ce9ed1a1df32f54f80ecc94993c67fe4e

Download Submit
C:\qwe.reg

Filesize
4KB

MD5
e8a6407382192d5c5017b71542445dbc

SHA1
feee9dd491ac1618c1fca8b70fd2ecc719ca80a8

SHA256
45c6f371c3d51173d4cc0ad5f660b2da520843f8fdb90420a8a7bb06841ae221

SHA512
f53acda885ceb6b385fb709cf8cdbe627e79183bb2bea579874c522ffd32422bd914151b7a254924d38c4297538caaa931e90ba7d81acd280cb5c4ac5d96e40c

Download Submit
C:\qwe.reg

Filesize
4KB

MD5
2f9d61fed4818d1689c6eda83de6665c

SHA1
d62a2fba8ddf171d522aff6c418344977c998a86

SHA256
59a0e0debc030f4fda02ba4b8e1f3865ca7a3ee4632b9985e832e2a4f8f6cbbe

SHA512
0945f6129c8434421f4769f46683855e37d8de446210b1c8c5d186b40d708cd378fea38d55992ae660b7cae568d675c325e743cb80a2f909aaccc69c68da79d2

Download Submit
C:\qwe.reg

Filesize
278B

MD5
6eaaf456dcb5bf58d7b9dae0ccd306bb

SHA1
0f1637775de69a0bd102310a2df582277238935b

SHA256
d4142a37e67b6adae83880f6aa65c957cb684b5d6e93a31acfbff9e7560121c0

SHA512
2d46b6f25882df0fdc772480023253b0d6bbb13189ccea5b7326602b487e6e0f19c8689427150cd821482f6b7d212d9886232bec2b5e458d95c319485d00924e

Download Submit
C:\qwe.reg

Filesize
695B

MD5
9f5107ed8df6ed209bd0e03526ff7346

SHA1
57cef4739f4e81b7c1eef6f32ab10bd6c8d5299b

SHA256
98e469f8290a20ebb3e5165a5cf137a24c8607cd6495cf6ae091e081439012a0

SHA512
e688b1780f99eed3fe0190a712a875f3d5e4f757944138d0682cd1eefaf0da9e858c0d40ae59efe8c955e4157a326b65355d1445075d59ba5501fd1714c9fb9d

Download Submit
C:\qwe.reg

Filesize
1KB

MD5
1e6c04abe0ef67b6f4cb8106e7ad165b

SHA1
ad2768316fb4fefb3c029a41c126baef0c82d341

SHA256
c52044f78c125929efdd5f1e9ce3426186d3cfb134774f4623643c4a2bb97eed

SHA512
b27329b82b1a769413e7c57411aee1c8ebcb7adee8baaa664931cbf01000a79f9a1667788b1af9ddd41675f7f821e0f2acc4113aba17738ee20d1c969fcb7c7e

Download Submit
C:\qwe.reg

Filesize
1KB

MD5
16933d71e70d3efabcf79699ed20a44d

SHA1
251a5586bb4731fb57e26b5a8ce667321ba8d248

SHA256
f1fe8a9cc3880ece20a1ecafaaab37dab33cc1f5160f34859acc37557a2d8dc3

SHA512
e20ef64f696081a4439cc0cc20ea19c2fad8c1e845e752f4153a4b69f03d2d100ebf6aa605438bca2367a385436bab0fb784999b0b6a7e01a44eadde1c11d58a

Download Submit
C:\qwe.reg

Filesize
1KB

MD5
23022e025c61530ae9a3d9cae4098e2c

SHA1
3e25a111e9385878aa0c7362857fcea01af521fc

SHA256
afec0afdebaed17bc09f3eded692da59acf0d82ff56317a34d805973ada0c13f

SHA512
3679c9d7b77689913099388503ea878ecb1c4ea5e044bfd18a582d5ab8bf773f1a957a2661f7f4dc260cbe79c4c4a9922aecd647afba6c1d6ecdc148c6e54188

Download Submit
C:\qwe.reg

Filesize
4KB

MD5
6053fe0dd01a29412154eb7f82f7544b

SHA1
cc593d19090f3b9de6f9eff363d538a92b436c58

SHA256
4078d1c44728ba6741b45b8bbe07b0b7e05f203ddb3f3dcd49baf78e820b8b07

SHA512
14aadbfde1d23abf21bfd217af1e0d602e0800e133c4c9398a19cbfa20b2e5cb89943b3a3e6c05f9cca54dbec26d6a5550286270e8da36f92235a614f5fc9d39

Download Submit
C:\qwe.reg

Filesize
4KB

MD5
c2438f4621f92c56033b4443cd85f499

SHA1
e4c47db57ba0d6a76d7ad931a17700ba51438885

SHA256
1492900d1c23532e6d48c3a5bf6bfa251641830b0dbd3cbabc9b5d40229199ba

SHA512
db4bb1045f6a5210f51e98e6eec6976a3ba1707e60c7551b60956912ae4f7ed22fd9192d900d322695d43e86a21bfc687e5c366b75b45c7fb0ca9f0fa90c7796

Download Submit
C:\qwe.reg

Filesize
417B

MD5
c3adbb9bf85acc60d1689df788999a7d

SHA1
89867d50cd90e57a4889037b344f50ba28bf36c6

SHA256
1d550d74ba36993f622d4208b526a9e58d1db71cbe7c197c12de420a7cd03bba

SHA512
ffe0f40bf1d41a4cbd476d01d139900a698e305287ca9aaa190df56f9a293b34bcf9035b6eec83012d531b7fa72ed5a1509550e6092ee3da813d419aec166cec

Download Submit
C:\qwe.reg

Filesize
834B

MD5
d856ebcc8861d0896412a8595b3c40ff

SHA1
5b84de2649ef0a37796f8349afbf0e553c574aee

SHA256
4a8fdbd6d43f3fd10f81f33457ea855f1a7e0ed0442c835a9f39cde143131336

SHA512
bdf8ab1caa4853b1a85522081d830eaec0e5a9caba7d618609d824c63f4c453815f762ed85dc469ddb4c61a1b8dee655a18644d6babe47e58241a34453bfe0c9

Download Submit
C:\qwe.reg

Filesize
1KB

MD5
6406f9b290ededee3fa3898df5e6bbe7

SHA1
5b6465d1c1edc56a171da5c83b75af925c928213

SHA256
e24d767431d4564efb6deeed66085fe401e31ce02970b2e2448309ce9e49e255

SHA512
9eb1d2e144e9fc939ad412472617a0912cdce51673b3f14936cc91d7187ae944b53a4b30f682948f9c95a4327ff3d83b88d672d43d63e9778d5028f2c0e6e5d7

Download Submit
C:\qwe.reg

Filesize
2KB

MD5
b4d8d5052c095c921b8fe00b84b49cfc

SHA1
c76448f6cb05973cf5b662b417fcaa3ce220869a

SHA256
bb66fdfcae342a97d3825b18ed61251ea2d007a2abea13b4955d4765c6ba8324

SHA512
3442404894d2eee4144b257adfab2318a8b9e669ac7602186dc6ccf92e4eb3f6dced75057e33c5ac42b8ce0ca2f61b0864c272d18afc2faf1de774890a5a6fb8

Download Submit
C:\qwe.reg

Filesize
4KB

MD5
b23cef336e16f6759693c939e8b8d3c9

SHA1
9842d2ed05d333e99cb73f14d9c06f883daebfb5

SHA256
277dcc006afad0cf1364b3e316e169240c2bf68e188c72ed40fed425ab2c95e1

SHA512
bed1645aa767b35fe9757ab5b8fe19610e09862d3ffb921d00e86ed9a65ba6ac003c166cac9b8dfe7a81a427d90945081dde1b7ba074e2509e94a3578996d989

Download Submit
C:\qwe.reg

Filesize
2KB

MD5
544c658488334c507d9069946d45c540

SHA1
6d8dd9f4ca4a2e47ff6f6cec6115cb73b8074059

SHA256
c5f62e7d135aff77caad4a863f36a9f946d89b143f911a609794ed8a213986c6

SHA512
42f9d0dbc1faaa5a184ea4e6b1856999c71aa09d758d5ba0dd28bf22583ad2b1372836748abde565244bb5f1e2d227c6d6dae22632b65ca84157703c82139a76

Download Submit
C:\qwe.reg

Filesize
4KB

MD5
031e3119f59f025087edefff4194ef33

SHA1
4f1ff6276cb63a9fe309a8a6b6f371e86f30d527

SHA256
3c0de0d2cf6b3d714233f865e9b06370afce2d9fa610932d2ad9d28001018c9f

SHA512
eaa5a76adfd8091a0e4e4dd5a61807dce0bdefedce7ad60072d0b1fb9edd369023deff67a6b4bebff52c01ffe840a29b45ba8a8fe47c080c1d5a3accc3d5feee

Download Submit
C:\qwe.reg

Filesize
5KB

MD5
9411890d62da2583a526871bf1290c8d

SHA1
5b1979bcd629ca99311addfc17f6ed8bf3bc0761

SHA256
1d106cacfffaf175396589c3b132a35b16214a5421c3ed5c974d7a6acb8d808f

SHA512
60756b677e2b6ce9351b397cb9dae1c9b0adff3d8966920ebf979fdc585d6b1f341f38ad6033f01ac8b02cfb343a31a73ce2a777fd269c6927b7868329869146

Download Submit
C:\qwe.reg

Filesize
2KB

MD5
cafa4d40dc86f9a29edc375044fe51c9

SHA1
1232c78fd4dabf99f9222bd5ab192d4fd2b43ce1

SHA256
b2795d0f5817bc92a2c6e8b7a9dc88f4e287fda535066e11184b4649aaf0b83b

SHA512
1a88552c794d21a9e4f6240b2069c7f999ffebd5e393f9246972514a738a2e8ed897f88426e598a8c76ac49cf4e81151c8818ed50e973175b116c2af8f5f93b1

Download Submit
C:\qwe.reg

Filesize
5KB

MD5
ce6c48d6a2db481d684596709fe8158e

SHA1
6397ed8ddcb94c13daba989584ba953686a820c6

SHA256
2cac396cbc0733aad52ecf213522de7bb3b206e90a3150770acc5e56fa2f662c

SHA512
4967526db829be6be89afacdeebba4fdee14f0f327d8fbffb03cd33792cf344cbd94ff5cf74baef7dcb0fead03a6441a65f983c32230053a9666f32009eb6347

Download Submit
C:\qwe.reg

Filesize
5KB

MD5
edb588e00ae09194a20d2c498543e1e0

SHA1
171cd2f1c4cdfe75e65597a73c4fe6f403e4f356

SHA256
95f9b043b3c4e283ae568e264562357414a5b3af2267bcdeb6696600c0c4bf65

SHA512
7ca7c04c2eb87fb9c7786e1d3b580eef24cf40d2099c5507c05797724eb42f47d1767cbc01f8d450939ce23474edba07e315e289dfd2f7ccec50fd0b47f767f5

Download Submit
C:\qwe.reg

Filesize
5KB

MD5
121ac58402c12196491f3c50dee6df00

SHA1
2325b6a61d7177b8855d43dbba499799e184c042

SHA256
9c3146db858bb47086223b63507f2db9cd78ff5ec271d6c61b450c02a0718abc

SHA512
5fa138320fcd9ae606f7958a06471c4bdc1fd7d46c9377dbc15a58deac420a7c61581a3feea6af21a35a52bba65fbd88a328d1ff3aa11e43a3ee8654c019d075

Download Submit
C:\qwe.reg

Filesize
5KB

MD5
2440bbce09b5dc0a93c5ce32133f10a6

SHA1
2078006becb171f27f7585f39e13af6bd6d07bfc

SHA256
ff115401d516a9bfb0ac57b057cf2ffa1c3d635d85ae3ed1004607a298045092

SHA512
5f889c150854be4c2c999884d190cd13a4b77ba826e302d9b4cc852453b286c7ecb489bfd9d0255723569fa1b3d041fb634129c7798cfdd596872d7ae580bcfc

Download Submit
C:\qwe.reg

Filesize
5KB

MD5
37dc441c7d566761bdb6339136f1aa1b

SHA1
741030219bbc23b59a61d0906ecf013ce03f8b7f

SHA256
9ea45c2f33ec88c7250dfe2877660cf768679429414cc170551f58982787508d

SHA512
8db7e8c27b8efa684fe086cbc3a3b0c5865ed35cb8349862bb9cb4793909dd02c278f1d083114e4f0a5861923374205e52d78fab809daae8e7092053c4b4f26c

Download Submit
C:\qwe.reg

Filesize
5KB

MD5
3189cb2b6d7b60f029f3b7f906bf42cf

SHA1
8994a07990e6cf79932851ca89f11a6cca9ec5eb

SHA256
fb6bc5cd55370178a62f9103d382739b5d95b24d4579b6e954de8e1ee9f773bc

SHA512
5228ed80a3e07829bafb1709cab931a34b3ca738736d58a330f9d7c4c3c29beab93d1a475e5a45fc89867849fe72760b09e50fddfe5ec8c151fe86d1c629667e

Download Submit
C:\qwe.reg

Filesize
5KB

MD5
82b3764193b051a7df85e5480cf45894

SHA1
bf14d1be5ac132161b079d1e32082b93eb68dd35

SHA256
cdd14cafb727fef65b4250c95c18940040ef5699c3bf5263c315ed98b5d162d9

SHA512
60a63105763eeca5899e15e967b9031410dabeab40a30011787925d07526b2f1dd0e6a8c9b5eaa7ec735206fc11047f4b332af5400759ca15d0ba133f537641a

Download Submit
C:\qwe.reg

Filesize
6KB

MD5
f59dbc304f5b324f7d158944a4669248

SHA1
94b550eafb042107ea2fb593823750797c8dc30c

SHA256
bdae7b211e879009edac192cb91fd9e16c77d1b567ea5657a295c51fdfe2ff57

SHA512
77a03ac962e216c4a4da953a6a2b1ad948c691c34d31d3263de6cb4c249c0434272198f12bdfd392f1eed3ea3302c09b3038f495d58a114fa7dff5747f720d11

Download Submit
C:\qwe.reg

Filesize
6KB

MD5
143fa427c7f90739318fff2818c7b91e

SHA1
90edc7d8079a9f6e3855c2d6a1b75b93228df4de

SHA256
319021ee23889e1991a310593fbffc352bd729f39d4bee870cac2cffd3aabbd8

SHA512
de1075995d2c62e4a8df8185ef892de159380c9cf3ec8d240ed9c07630eae5c7998ee84cd50e2df36e7dfbc879d76de8edfdd3242b7b8939a0f50438e30f0338

Download Submit
C:\qwe.reg

Filesize
6KB

MD5
aefbd3db3f5a19d4fa6f16a62b574f3f

SHA1
fcbc42775d86a43ccb9ce4325bbcf6184cb30a31

SHA256
9cc01a7af557cf137d9d73c146c032026c3c0ebb7fdcff6cca9d6d3b0f9a3b2f

SHA512
e82fb045e5337edc5ee0060f647156cabb65eddc5ad0c93ce6e0cff7ce7ca2e36b7108939c5cb467f7de5e554283f664f35a17f9e66a840018940a720f265953

Download Submit
C:\qwe.reg

Filesize
6KB

MD5
59b0479b0b6cba9d872fb0b1679d6118

SHA1
75dcec98bf6b5d6fb485bf0383021284f965674a

SHA256
a5aaa069d4e5e30a10e75e6b7c02823e9e6145bd69f8fbe05193477fd11f2ed4

SHA512
3ffd1b0743b038def96c5e75b2da19796bf2608bb086e7c79c279925aa69081eae4568de47d9782d8a858ee57003695768b13e93e809237521007d4bdb16d821

Download Submit
C:\qwe.reg

Filesize
6KB

MD5
d1e96bb2ad25fc9dfb259f7f8b34735d

SHA1
ab9e3ef48e3f512ca12fbdc6686faabe9a71f8c4

SHA256
73b662f3baf4e6514ce619f4368b76d952befa07d1377ce182fca3da65fcc5ab

SHA512
4390bfa1cf11560e0495d0cd4d6eeda51b7f901107e94d86f053213ec381073f7c816ecc8c02fcf4b09137725b05850a994f52eef77c65bccbe0a528e82c8ea4

Download Submit
C:\qwe.reg

Filesize
2KB

MD5
c3185ff48aa97b05465df49f43898ffa

SHA1
3416642ddd4b7b5ca655e4c4050d48d6d0cedfec

SHA256
f043622a5eab887c75adadceddb0bab2659ef90857020b46eb0f5212321a1a54

SHA512
77b0adc14be51d2f757cb1bd1187e3535cd507d0c42fb9714951cb81d3b5dd3fee204f125d2506798b463113faac88714d39bd135b8c30410b4be4ed421fea3c

Download Submit
C:\qwe.reg

Filesize
6KB

MD5
7526cc2352e9faa1aa8e5c622a63fb50

SHA1
96253dffeea1764a7310d5973dbeec06bd4922c3

SHA256
3ce60ddc49ac0754521012b6e544b3730a7f12dca23f911cde7b3377c8d984a4

SHA512
cc8a8d6a2031ae7c90317b3ea0d4c176b30da5d875dcdb5e9b1452166ae619c5726803e46e2aced20d67214878836999e1ed2ccd545b583bb3428126ec1de152

Download Submit
C:\qwe.reg

Filesize
2KB

MD5
3ff9049ca35123273281390718cafa0f

SHA1
54e49b71bd90c09a3f9b0d787dcb49b4d951d6df

SHA256
83ff8aed8f67599f029101374f7d566d30ac3dbe998ae91343f0e77c1ed0676b

SHA512
1c1958f0bc2bb06ecfa6b65763ad4a53013bb73bad37849efa55ef6808a9679326a124c1e7a93e3a96107d3c87238a0d5f3a0ede1d3f53247fd9522a1f765d24

Download Submit
C:\qwe.reg

Filesize
6KB

MD5
a9c4c4899d737ea67d72d7dbc22c21d1

SHA1
b8578085fc58ad7ff0ca7706ff5cd38b8263d29a

SHA256
9b60aa3db3975e07da7df1e71c6aec198d786ef6337395a558e7a94ba1a5f37a

SHA512
01ae26c77b66e500c9958a6290047681e372bad931381f93301104cc34c4cb47e3fae41147802ca3b61445a2f8ac2fc23fea6836211ab4a31f59d0421b3c8113

Download Submit
C:\qwe.reg

Filesize
2KB

MD5
cbc31a7599925966c2de45994ac1e573

SHA1
7d231505dd41bafa77ac0246b07f7f94754d2d0c

SHA256
0a48e3d06021b3e42c14c4846d694f213f7cc4509b443f56ea879fe57b4bab82

SHA512
a578cf2633c7c5997eaae3ac23556932fd838c025e61cb83e6c5f043df0264214085e6ae66ec17d52ffd2e33f2c2447364752a4e2e6455f7b6015cba0a002c4a

Download Submit
C:\qwe.reg

Filesize
7KB

MD5
96535ce676579a2ffd65c72b573f6b44

SHA1
fa5293e58a6e373fc5997587ad20ddc82f35f5fe

SHA256
876dabe05a76f4a94662a009105c2f08d4fb49f360bc0856b115f33ee0a310fa

SHA512
5bda14379cf124fb6ed64acbba663fa68a9cd1ce98a9e9a7718be859f39966790aa9169342caaed0ca68caa5f02a9e948c02132baedb23eb885dc02cf8f1752e

Download Submit
C:\qwe.reg

Filesize
2KB

MD5
1a7738b5ec45d273c337b11bdaa9f718

SHA1
52bf984d5d545c718d9adb3c42b973f2c4b1b325

SHA256
66ed22e132804f843cbaac3ee9138636cb1ed2533c9178ec742e4c1a58bdb6df

SHA512
fd19158ead46d18003dbe0b1753200c1eeb5c8f21275d94669bf025fbdd4614eae183582925b3a84d560cdaeeaab081a6e7fd9c974f3836aa494ccb2a3682f90

Download Submit
C:\qwe.reg

Filesize
7KB

MD5
0c569790d0b11802bd35e247f8db123f

SHA1
47fab7417168d3a82f6192870f9bcf3e80eddbb6

SHA256
a12590b0bc481e849887f8919f2f82606d6450bf52a57b361b874daa1e6775b6

SHA512
831b7de42b48d6373d80c275832c94d48f94d875b72fcfc3a2c47b1ddc36b7868d5e8f3b35ec937c0819267e38800486096bf778399b17f7d525b67fc61d750e

Download Submit
C:\qwe.reg

Filesize
2KB

MD5
b06109f16dfbb79a394b91331b4bda11

SHA1
982d0b4fcee60141302eaeca792df67955ba8a57

SHA256
0da5f0c78241ac946ff4e883cd10118e3adf1d1d19f27ac95b4bac1149e0e9fa

SHA512
95c0d984e27e8244388d03d4b6dfc8ad9e300f2b206d925042d63deb2f520b262e56e9c1480dc0d117fe6cc77e660bb8a6760992d685994ab87302bb5f11056d

Download Submit
C:\qwe.reg

Filesize
7KB

MD5
fb98725afccbe05415c5efce121ed196

SHA1
feaeeafd377bffd0b4f92c12632cffc476d5134b

SHA256
b55fc121d1f7ff1ec4783e738d3e091f43003459fe2be6e26f14cacd518e535d

SHA512
14938df1c5ff421b9b20b65ecbce12c23a5600d0395cc9620e0904ae82154fda6bbcd456d1b59ad0e365f5bc78cabcf5d285dd22a38bca0fe918b8befb0d2e7a

Download Submit
C:\qwe.reg

Filesize
3KB

MD5
26b81a77bdeeb583993121dc53b4a57a

SHA1
625c57e49e2b8100d964839f197bdc48afc4c4fc

SHA256
33af2c6eb6aa864f8edd90ac7c7c38fe7f77c0a9b29f87be295d6af2c59f843c

SHA512
07c362cd08b4f5882fbbdc8280b6c7840635679ea9993f95fe715ab5eaad6c07544697ce0a90117f11ee05e76a83d58cf444130a6d1b376a090677d1bdcebd28

Download Submit
C:\qwe.reg

Filesize
7KB

MD5
78c4c2b54a8f92f11c396a535e8719c2

SHA1
dadf74fc2a6868afe942e87d4d49542ff7c4e034

SHA256
c5493b1272e5d4c182108c637ffde0402bff1c44ad8dcbbe81f7a3f9e91f1a36

SHA512
dcdea35b292734f5450eb4d4da8484143aec5b03ee0300f1745fcdffc2966307832330b5c00c470f64c0cd48309aca8373272bbfdfd63328abff226eb56c2d74

Download Submit
C:\qwe.reg

Filesize
7KB

MD5
7ed9010801ddb3f50d2b5b218974609e

SHA1
f76148f601439b9b4905ac4270f6a0ef0408b977

SHA256
b6007158ee98e482d97c2796c7b3e7866b3754779b68a60e34683ba5d5283d2a

SHA512
2e52ea68f99c299f6aabaf035e5a22d91ef2a350a390e2c4933cfe145d2aa92f20b9b85280cb626f7ce9914a17115a63fb51c83d1e2848b040eaf4ec1d2ecda5

Download Submit
C:\qwe.reg

Filesize
3KB

MD5
5b6dc7d45b4651feeab05a571654d473

SHA1
2bb3a7f930d1c7f065fc014fff040ee573ae20e9

SHA256
8b817b8cab5be9d4b766396fdf359b0fe60e2bbf8395e0b7d0f9e59467b54f9e

SHA512
5cd5993343338589f463910205988c711f9bbe7cb17e190d30c56fcd59a087596de0b2d3f07acf4fe5019d1bbffbafc1dbc680719a9ec3e5252e964de498f3f7

Download Submit
C:\qwe.reg

Filesize
7KB

MD5
8cf2a2403313fdb73ae02704c80d9e16

SHA1
ca2f5c11a1e95ee6a585692fa583cf31e0917670

SHA256
590405ee93b1197e7a1d1d0bfa657ecc2d749cbf53dba2ae2039eb1b8c76fc76

SHA512
4f4f06b130a32bc55ff26d04b7a80c9294ebf647d2f90c807b777e6d854440331ec78634d58e382de698239e88ec7a5dde4c43d26df307978bcf65869406fcfe

Download Submit
C:\qwe.reg

Filesize
3KB

MD5
308ba19ad3f11a230ebf93f5198ca3ee

SHA1
4bf983881db25b105db21f21996b29f1f2c4f431

SHA256
30030a9e66a151b5df80cfbad82efc5ef73da88e09783b3f8d785ef7b523336b

SHA512
f0f0ef8e428f006fb29a38daab496f6a1bf03950078c66e3b1e98d608257fea3070352d9cfd75e444cdc107936e1f0b752b44469edfa4db9b8acaa20e9836ef0

Download Submit
C:\qwe.reg

Filesize
7KB

MD5
0578ee6018684ad25a5fe6344d87ac09

SHA1
dab61a383008e6971c30d88f5ecf1379c3644953

SHA256
4809a9da590cdea360b4e9fdc83aefdf48360fba9ebcef7ccd5c271cd3bea78a

SHA512
d7037eda80b678529d835ffeb739b9db51101435595bdeb7c2fc8e102d6bdbe2c368b2aafadddd69815a30c58e5b691b3c7752d2f3175cc4f492f71cff1c6f1a

Download Submit
C:\qwe.reg

Filesize
3KB

MD5
8267ef3211ebdc14b74e185d79e9937f

SHA1
8d5018d852db4b5c49e658946539cc9c17e91c10

SHA256
462c2274d35c1c420fca4bccda2c518c41d332299afdc976c690b3e8c41c904b

SHA512
e6a263d0b5b40b918cf3db860fb2308d49c3396157deb8d64a1384cc65b314eb9fcb1ce107a495a0e824fc4e5eae17f37ad72e9b2ecabdd277589a3b86fe818e

Download Submit
C:\qwe.reg

Filesize
8KB

MD5
43ba732a62eb224b34bb177112a47186

SHA1
a0c9aedd0d0221cd45371015204e792f0a5f6827

SHA256
b3003807df24a64c3fc08c6b8ed2c9f72f76c1221424eb8f42fda6a44a730d21

SHA512
291bb48d9f1df6f857fdff0c9452361fb2d81464339427bee8db355bca4cc37e8d2c5f8a7f31f1b2cf3043d98130a59867452ca1d3e674ef160dedbc033c407a

Download Submit
C:\qwe.reg

Filesize
3KB

MD5
c1323b311915f3a1d49f9df47e726f84

SHA1
4fa1a12e5edefbeb1e265a8f0480c19f4bf32e15

SHA256
e99b053501c088186bb007de47c5e7d548e20fc285dc08a381a400f2c46973df

SHA512
623cdcfbd69060d177b97f93abaa3834c6237d4e5085bd16a1d252ea401584c68edafcd195c817f6dea0cbaf24d47c4bc8867517f1a6acaf34f97b7956599176

Download Submit
C:\qwe.reg

Filesize
8KB

MD5
3cee1de562770e0ede559e7ce6a50271

SHA1
4398823ad55a1bdebd8c8072901dca8aac6b5853

SHA256
36186b73724fc3e5c870456922ac11ae4d1d64dee4858d813d931f5261d9f346

SHA512
f7be8d7bdc68309b1271388e21e5e614dcc778ce83f1f69b6d978239e31b1db15e215da8adced451cba03cc8da9bd45f46a3a7434f09c4ea4344257f2c7cfa8f

Download Submit
C:\qwe.reg

Filesize
8KB

MD5
ecd269327b17a9507556ef3bc74ec09b

SHA1
41b3dfb75f54c364362b47427970e479b34e5337

SHA256
3cf8ffc3d80a2b7dfa86c8fcbf30e2956e62d2c07cf9f8ea87b3ecb5fc21a05c

SHA512
4ead118cc1e4981f9a31774328447c827a4cd83eb39a96c8d08156bdb4719ec09e0454edcac12e8b19d07a730cfa7ce2091df7165a310bd4832f7553801846be

Download Submit
C:\qwe.reg

Filesize
3KB

MD5
a84429d829aaab966aa74504607c2d78

SHA1
df70a57186ba93fa7917f3e3d28a59bd665b1edc

SHA256
db64f8cee83f05fb4d960be02b008d2c6d5b777390db7aa9b2d475b97471f7b4

SHA512
6730af24ef6131e67f19f81ecc67baebe08cea31acf6162fbe1eea61ce81a073961842bbaea3618266537a56c91d50329db09120ce59419bbe198cae04892f26

Download Submit
memory/3552-0-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3552-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-32-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-117-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-10-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4648-33-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4648-96-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-138-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-54-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-75-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-151-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-162-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-173-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-185-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-197-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-209-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-220-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4648-231-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads