darkcomet | 987610dc3a58d131c9f1d5a74b4ffb332d98f8ab42678006d1c09d1795ca0858

Analysis

max time kernel
10s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Size

718KB
MD5

652dcdf3001759e7aa4ebae996612070
SHA1

cfdc99daa2c78495eb3d779d219be46c4bbd76cb
SHA256

987610dc3a58d131c9f1d5a74b4ffb332d98f8ab42678006d1c09d1795ca0858
SHA512

22fee00cd45a94e510255aa6b17312da58c878eaed8017b6e97d5b040b81b5c7c23130ab64b3b29b05e361fa9273a9402eb15f4d81accaf60b2488a9762d423e
SSDEEP

12288:CaAchpWsuVTv7ItY8XljyypHP7cOLBev03hlULsmWZ++09ZcKDVsgd:TAEENIq8XwyVPQclDq/+WnpsS

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 62 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

service32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe"	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe,C:\\Windows\\system32\\service32.exe"	service32.exe

Checks BIOS information in registry 2 TTPs 62 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

service32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exeservice32.exeservice32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	service32.exe

Checks computer location settings 2 TTPs 62 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

service32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	service32.exe

Executes dropped EXE 61 IoCs

Processes:

service32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe

pid	Process
2072	service32.exe
4040	service32.exe
1676	service32.exe
3100	service32.exe
1316	service32.exe
3908	service32.exe
2484	service32.exe
2972	service32.exe
3828	service32.exe
2944	service32.exe
4428	service32.exe
3720	service32.exe
2000	service32.exe
3252	service32.exe
4588	service32.exe
3728	service32.exe
552	service32.exe
2920	service32.exe
1716	service32.exe
968	service32.exe
2404	service32.exe
1680	service32.exe
3160	service32.exe
3172	service32.exe
232	service32.exe
3608	service32.exe
4360	service32.exe
4920	service32.exe
3528	service32.exe
4012	service32.exe
4416	service32.exe
1816	service32.exe
3908	service32.exe
724	service32.exe
3988	service32.exe
2476	service32.exe
3560	service32.exe
3336	service32.exe
4960	service32.exe
232	service32.exe
2616	service32.exe
4424	service32.exe
4508	service32.exe
2232	service32.exe
2684	service32.exe
2152	service32.exe
4960	service32.exe
3144	service32.exe
2808	service32.exe
4732	service32.exe
4084	service32.exe
2324	service32.exe
3448	service32.exe
3100	service32.exe
516	service32.exe
2128	service32.exe
412	service32.exe
1992	service32.exe
872	service32.exe
3448	service32.exe
2244	service32.exe

Adds Run key to start application 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

service32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service32 = "C:\\Windows\\system32\\service32.exe"	service32.exe

Drops file in System32 directory 64 IoCs

Processes:

service32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exeservice32.exeservice32.exeservice32.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File created	C:\Windows\SysWOW64\service32.exe	service32.exe
File opened for modification	C:\Windows\SysWOW64\service32.exe	service32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 21 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
5112	1956	WerFault.exe	665
3008	592	WerFault.exe	693
968	2260	WerFault.exe	880
996	4732	WerFault.exe	1087
2604	1720	WerFault.exe	1150
1376	1040	WerFault.exe	1350
2328	1376		1437
2580	4960		1635
2084	3528		2164
1748	4496		2264
4876	4324		2431
648	3960		2730
696	2384		2758
3340	4500		3490
4716	4528		3733
3080	3188		3748
4124	4344		3840
316	4976		4030
2260	1580		4353
4604	2780		4778
2568	1428		4984

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeservice32.exePING.EXEservice32.execmd.exe652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exePING.EXEPING.EXEservice32.exeservice32.exeservice32.execmd.exePING.EXEcmd.execmd.exeservice32.exePING.EXEPING.EXEcmd.exeservice32.execmd.execmd.execmd.exePING.EXEcmd.execmd.execmd.execmd.exeservice32.execmd.exeservice32.execmd.exeservice32.exeservice32.exeservice32.execmd.execmd.exeservice32.exeservice32.exePING.EXEPING.EXEservice32.execmd.exePING.EXEPING.EXEcmd.exePING.EXEcmd.execmd.execmd.exeservice32.exeservice32.execmd.execmd.exePING.EXEPING.EXEPING.EXEservice32.execmd.execmd.exePING.EXEcmd.execmd.exeservice32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4616	PING.EXE
4360	PING.EXE
5044	PING.EXE
792
4968
3068
4404
1832
4404
808	PING.EXE
3168
2948
3944
2040
532
2264
516	PING.EXE
4748	PING.EXE
3124	PING.EXE
1460
2616
1080
1508
536
3132
1128
4264
4552
3360
2220
516	PING.EXE
456
224
2016
316
1832
3260
4208
2656
2184
4616
2004
3524
4636
4372	PING.EXE
5072	PING.EXE
3752
3548
3664
3856	PING.EXE
1504
4148
4448
4308
4532
4896	PING.EXE
2200	PING.EXE
2040
1688	PING.EXE
3396	PING.EXE
1208	PING.EXE
3520
1040
4112

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	service32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	service32.exe

Enumerates system info in registry 2 TTPs 62 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

service32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exeservice32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	service32.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1828
4824
2004
4932
2524
1832
2188
2656
1380
3956	PING.EXE
2260	PING.EXE
1096	PING.EXE
2880
4820
3560
4312	PING.EXE
3784
3988
3188
2040
4900
2820
4364
2248
4148
804
3548
516
3396	PING.EXE
968	PING.EXE
4136	PING.EXE
3260
432
4376
808
2604
1816
3068
400
3488	PING.EXE
1108	PING.EXE
4264	PING.EXE
2820	PING.EXE
3996
3988
4848
1208	PING.EXE
3856
3252
804
2616	PING.EXE
2580	PING.EXE
3004
3084
3548
2568	PING.EXE
3956
1488
2040
3608
1512
2404
4508
2276

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exeservice32.exeservice32.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeSecurityPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeBackupPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeRestorePrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeShutdownPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeDebugPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeUndockPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: 33	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: 34	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: 35	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: 36	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2072	service32.exe
Token: SeSecurityPrivilege	2072	service32.exe
Token: SeTakeOwnershipPrivilege	2072	service32.exe
Token: SeLoadDriverPrivilege	2072	service32.exe
Token: SeSystemProfilePrivilege	2072	service32.exe
Token: SeSystemtimePrivilege	2072	service32.exe
Token: SeProfSingleProcessPrivilege	2072	service32.exe
Token: SeIncBasePriorityPrivilege	2072	service32.exe
Token: SeCreatePagefilePrivilege	2072	service32.exe
Token: SeBackupPrivilege	2072	service32.exe
Token: SeRestorePrivilege	2072	service32.exe
Token: SeShutdownPrivilege	2072	service32.exe
Token: SeDebugPrivilege	2072	service32.exe
Token: SeSystemEnvironmentPrivilege	2072	service32.exe
Token: SeChangeNotifyPrivilege	2072	service32.exe
Token: SeRemoteShutdownPrivilege	2072	service32.exe
Token: SeUndockPrivilege	2072	service32.exe
Token: SeManageVolumePrivilege	2072	service32.exe
Token: SeImpersonatePrivilege	2072	service32.exe
Token: SeCreateGlobalPrivilege	2072	service32.exe
Token: 33	2072	service32.exe
Token: 34	2072	service32.exe
Token: 35	2072	service32.exe
Token: 36	2072	service32.exe
Token: SeIncreaseQuotaPrivilege	4040	service32.exe
Token: SeSecurityPrivilege	4040	service32.exe
Token: SeTakeOwnershipPrivilege	4040	service32.exe
Token: SeLoadDriverPrivilege	4040	service32.exe
Token: SeSystemProfilePrivilege	4040	service32.exe
Token: SeSystemtimePrivilege	4040	service32.exe
Token: SeProfSingleProcessPrivilege	4040	service32.exe
Token: SeIncBasePriorityPrivilege	4040	service32.exe
Token: SeCreatePagefilePrivilege	4040	service32.exe
Token: SeBackupPrivilege	4040	service32.exe
Token: SeRestorePrivilege	4040	service32.exe
Token: SeShutdownPrivilege	4040	service32.exe
Token: SeDebugPrivilege	4040	service32.exe
Token: SeSystemEnvironmentPrivilege	4040	service32.exe
Token: SeChangeNotifyPrivilege	4040	service32.exe
Token: SeRemoteShutdownPrivilege	4040	service32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exeservice32.execmd.execmd.exeservice32.execmd.exeservice32.exeservice32.execmd.exeservice32.execmd.execmd.exeservice32.exeservice32.execmd.exe

description	pid	Process	procid_target
PID 4508 wrote to memory of 2072	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe	84
PID 4508 wrote to memory of 2072	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe	84
PID 4508 wrote to memory of 2072	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe	84
PID 4508 wrote to memory of 2960	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe	86
PID 4508 wrote to memory of 2960	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe	86
PID 4508 wrote to memory of 2960	4508	652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe	86
PID 2072 wrote to memory of 4040	2072	service32.exe	88
PID 2072 wrote to memory of 4040	2072	service32.exe	88
PID 2072 wrote to memory of 4040	2072	service32.exe	88
PID 2072 wrote to memory of 2696	2072	service32.exe	89
PID 2072 wrote to memory of 2696	2072	service32.exe	89
PID 2072 wrote to memory of 2696	2072	service32.exe	89
PID 2960 wrote to memory of 920	2960	cmd.exe	90
PID 2960 wrote to memory of 920	2960	cmd.exe	90
PID 2960 wrote to memory of 920	2960	cmd.exe	90
PID 2696 wrote to memory of 4404	2696	cmd.exe	92
PID 2696 wrote to memory of 4404	2696	cmd.exe	92
PID 2696 wrote to memory of 4404	2696	cmd.exe	92
PID 4040 wrote to memory of 1676	4040	service32.exe	161
PID 4040 wrote to memory of 1676	4040	service32.exe	161
PID 4040 wrote to memory of 1676	4040	service32.exe	161
PID 4040 wrote to memory of 1456	4040	service32.exe	94
PID 4040 wrote to memory of 1456	4040	service32.exe	94
PID 4040 wrote to memory of 1456	4040	service32.exe	94
PID 1456 wrote to memory of 4012	1456	cmd.exe	347
PID 1456 wrote to memory of 4012	1456	cmd.exe	347
PID 1456 wrote to memory of 4012	1456	cmd.exe	347
PID 1676 wrote to memory of 3100	1676	service32.exe	330
PID 1676 wrote to memory of 3100	1676	service32.exe	330
PID 1676 wrote to memory of 3100	1676	service32.exe	330
PID 1676 wrote to memory of 1600	1676	service32.exe	274
PID 1676 wrote to memory of 1600	1676	service32.exe	274
PID 1676 wrote to memory of 1600	1676	service32.exe	274
PID 3100 wrote to memory of 1316	3100	service32.exe	138
PID 3100 wrote to memory of 1316	3100	service32.exe	138
PID 3100 wrote to memory of 1316	3100	service32.exe	138
PID 3100 wrote to memory of 4368	3100	service32.exe	165
PID 3100 wrote to memory of 4368	3100	service32.exe	165
PID 3100 wrote to memory of 4368	3100	service32.exe	165
PID 1600 wrote to memory of 3488	1600	cmd.exe	446
PID 1600 wrote to memory of 3488	1600	cmd.exe	446
PID 1600 wrote to memory of 3488	1600	cmd.exe	446
PID 1316 wrote to memory of 3908	1316	service32.exe	341
PID 1316 wrote to memory of 3908	1316	service32.exe	341
PID 1316 wrote to memory of 3908	1316	service32.exe	341
PID 4368 wrote to memory of 1716	4368	cmd.exe	159
PID 4368 wrote to memory of 1716	4368	cmd.exe	159
PID 4368 wrote to memory of 1716	4368	cmd.exe	159
PID 1316 wrote to memory of 1356	1316	service32.exe	466
PID 1316 wrote to memory of 1356	1316	service32.exe	466
PID 1316 wrote to memory of 1356	1316	service32.exe	466
PID 1356 wrote to memory of 4512	1356	cmd.exe	325
PID 1356 wrote to memory of 4512	1356	cmd.exe	325
PID 1356 wrote to memory of 4512	1356	cmd.exe	325
PID 3908 wrote to memory of 2484	3908	service32.exe	592
PID 3908 wrote to memory of 2484	3908	service32.exe	592
PID 3908 wrote to memory of 2484	3908	service32.exe	592
PID 3908 wrote to memory of 4956	3908	service32.exe	461
PID 3908 wrote to memory of 4956	3908	service32.exe	461
PID 3908 wrote to memory of 4956	3908	service32.exe	461
PID 2484 wrote to memory of 2972	2484	service32.exe	113
PID 2484 wrote to memory of 2972	2484	service32.exe	113
PID 2484 wrote to memory of 2972	2484	service32.exe	113
PID 4956 wrote to memory of 1496	4956	cmd.exe	516

C:\Users\Admin\AppData\Local\Temp\652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\652dcdf3001759e7aa4ebae996612070_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Windows\SysWOW64\service32.exe
  "C:\Windows\system32\service32.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\service32.exe
    "C:\Windows\system32\service32.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\service32.exe
      "C:\Windows\system32\service32.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2972
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3828
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        11⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:2944
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        12⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:4428
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        13⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3720
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        14⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:2000
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        15⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3252
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        16⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4588
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        17⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3728
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        18⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:552
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        19⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2920
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        20⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1716
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        21⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:968
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        22⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Enumerates system info in registry
        
        PID:2404
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        23⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:1680
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        24⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3160
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        25⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:3172
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        26⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:232
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        27⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3608
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        28⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4360
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        29⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4920
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        30⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3528
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        31⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4012
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        32⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:4416
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        33⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1816
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        34⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3908
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        35⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:724
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        36⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:3988
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        37⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2476
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        38⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3560
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        39⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3336
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        40⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:4960
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        41⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:232
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        42⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2616
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        43⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4424
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        44⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4508
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        45⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2232
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        46⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:2684
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        47⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2152
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        48⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4960
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        49⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:3144
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        50⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:2808
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        51⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:4732
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        52⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4084
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        53⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2324
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        54⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:3448
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        55⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:3100
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        56⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:516
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        57⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2128
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        58⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Enumerates system info in registry
        
        PID:412
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        59⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:1992
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        60⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:872
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        61⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:3448
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        62⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2244
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        63⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        64⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        65⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        66⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        67⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        68⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        69⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        70⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        71⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        72⤵
        
        PID:552
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        73⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        74⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        75⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        76⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        77⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        78⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        79⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        80⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        81⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        82⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        83⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        84⤵
        
        PID:876
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        85⤵
        
        PID:556
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        86⤵
        
        PID:760
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        87⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        88⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        89⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        90⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        91⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        92⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        93⤵
        
        PID:724
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        94⤵
        
        PID:888
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        95⤵
        
        PID:64
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        96⤵
        
        PID:592
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        97⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        98⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        99⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        100⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        101⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        102⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        103⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        104⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        105⤵
        
        PID:876
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        106⤵
        
        PID:532
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        107⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        108⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        109⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        110⤵
        
        PID:516
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        111⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        112⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        113⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        114⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        115⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        116⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        117⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        118⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        119⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        120⤵
        
        PID:412
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        121⤵
        
        PID:376
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        122⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        123⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        124⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        125⤵
        
        PID:532
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        126⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        127⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        128⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        129⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        130⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        131⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        132⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        133⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        134⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        135⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        136⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        137⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        138⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        139⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        140⤵
        
        PID:464
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        141⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        142⤵
        
        PID:112
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        143⤵
        
        PID:756
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        144⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        145⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        146⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        147⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        148⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        149⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        150⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        151⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        152⤵
        
        PID:592
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        153⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        154⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        155⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        156⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        157⤵
        
        PID:432
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        158⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        159⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        160⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        161⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        162⤵
        
        PID:368
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        163⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        164⤵
        
        PID:836
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        165⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        166⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        167⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        168⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        169⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        170⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        171⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        172⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        173⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        174⤵
        
        PID:316
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        175⤵
        
        PID:756
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        176⤵
        
        PID:872
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        177⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        178⤵
        
        PID:636
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        179⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        180⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        181⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        182⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        183⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        184⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        185⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        186⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        187⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        188⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        189⤵
        
        PID:452
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        190⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        191⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        192⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        193⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        194⤵
        
        PID:872
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        195⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        196⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        197⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        198⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        199⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        200⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        201⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        202⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        203⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        204⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        205⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        206⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        207⤵
        
        PID:432
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        208⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        209⤵
        
        PID:232
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        210⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        211⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        212⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        213⤵
        
        PID:532
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        214⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        215⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        216⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        217⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        218⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        219⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        220⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        221⤵
        
        PID:968
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        222⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        223⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        224⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        225⤵
        
        PID:888
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        226⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        227⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        228⤵
        
        PID:368
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        229⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        230⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        231⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        232⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        233⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        234⤵
        
        PID:516
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        235⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        236⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        237⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        238⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        239⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        240⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        241⤵
        
        PID:756
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        242⤵
        
        PID:872
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        243⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        244⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        245⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        246⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        247⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        248⤵
        
        PID:64
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        249⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        250⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        251⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        252⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        253⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        254⤵
        
        PID:968
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        255⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        256⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        257⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        258⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        259⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        260⤵
        
        PID:808
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        261⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        262⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        263⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        264⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        265⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        266⤵
        
        PID:640
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        267⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        268⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        269⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        270⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        271⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        272⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        273⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        274⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        275⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        276⤵
        
        PID:376
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        277⤵
        
        PID:792
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        278⤵
        
        PID:232
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        279⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        280⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        281⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        282⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        283⤵
        
        PID:432
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        284⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        285⤵
        
        PID:220
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        286⤵
        
        PID:112
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        287⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        288⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        289⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        290⤵
        
        PID:876
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        291⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        292⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        293⤵
        
        PID:432
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        294⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        295⤵
        
        PID:888
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        296⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        297⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        298⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        299⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        300⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        301⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        302⤵
        
        PID:592
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        303⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        304⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        305⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        306⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        307⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        308⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        309⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        310⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        311⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        312⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        313⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        314⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        315⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        316⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        317⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        318⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        319⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        320⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        321⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        322⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        323⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        324⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        325⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        326⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        327⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        328⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        329⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        330⤵
        
        PID:888
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        331⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        332⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        333⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        334⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        335⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        336⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\service32.exe
        
        "C:\Windows\system32\service32.exe"
        337⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        337⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        336⤵
        
        PID:3932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        337⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        335⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        336⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        334⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        335⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        333⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        334⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        332⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        333⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        331⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        332⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        330⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        331⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        329⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        330⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        328⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        329⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        327⤵
        
        PID:432
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        328⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        326⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        327⤵
        Runs ping.exe
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        325⤵
        
        PID:636
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        326⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        324⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        325⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        323⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        324⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        322⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        323⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        321⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        322⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        320⤵
        
        PID:532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        321⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        319⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        320⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 1020
        318⤵
        Program crash
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        317⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        318⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        316⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        317⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        315⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        316⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        314⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        315⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        313⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        314⤵
        Runs ping.exe
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        312⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        313⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        311⤵
        
        PID:536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        312⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        310⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        311⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        309⤵
        
        PID:64
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        310⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        308⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        309⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        307⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        308⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        306⤵
        
        PID:112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        307⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        305⤵
        
        PID:876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        306⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        304⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        305⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        303⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        304⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        302⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        303⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        301⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        302⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        300⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        301⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        299⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        300⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        298⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        299⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        297⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        298⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        296⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        297⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        295⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        296⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        294⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        295⤵
        Runs ping.exe
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        293⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        294⤵
        Runs ping.exe
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        292⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        293⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        291⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        292⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        290⤵
        
        PID:844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        291⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        289⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        290⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        288⤵
        
        PID:952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        289⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        287⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        288⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        286⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        287⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        285⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        286⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        284⤵
        
        PID:5116
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        285⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        285⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        283⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        284⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        282⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        283⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        281⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        282⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        280⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        281⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        279⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        280⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        278⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        279⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        277⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        278⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        276⤵
        
        PID:412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        277⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        275⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        276⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        274⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        275⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        273⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        274⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        272⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        273⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        271⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        272⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        270⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        271⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        269⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        270⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1020
        268⤵
        Program crash
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        267⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        268⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        266⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        267⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        265⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        266⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        264⤵
        
        PID:652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        265⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        263⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        264⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        262⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        263⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        261⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        262⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        260⤵
        
        PID:696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        261⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        259⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        260⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        258⤵
        
        PID:368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        259⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        257⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        258⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        256⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        257⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        255⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        256⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        254⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        255⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        253⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        254⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 1020
        252⤵
        Program crash
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        251⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        252⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        250⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        251⤵
        Runs ping.exe
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        249⤵
        
        PID:636
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        250⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        248⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        249⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        247⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        248⤵
        Runs ping.exe
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        246⤵
        
        PID:888
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        247⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        245⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        246⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        244⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        245⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        243⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        244⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        242⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        243⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        241⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        242⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        240⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        241⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        239⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        240⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        238⤵
        
        PID:964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        239⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        237⤵
        
        PID:696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        238⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        236⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        237⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        235⤵
        
        PID:792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        236⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        234⤵
        
        PID:468
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        235⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        233⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        234⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        232⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        233⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        231⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        232⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        230⤵
        
        PID:4044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        229⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        230⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        228⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        229⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        227⤵
        
        PID:872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        228⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        228⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        226⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        227⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        225⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        226⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        224⤵
        
        PID:456
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        225⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        223⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        224⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        222⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        223⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        221⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        222⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        220⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        221⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        219⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        220⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        218⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        219⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        217⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        218⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        216⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        217⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        215⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        216⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        214⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        215⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        213⤵
        
        PID:876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        214⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        212⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        213⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        211⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        212⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        210⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        211⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        209⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        210⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        208⤵
        
        PID:888
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        209⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        207⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        208⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        206⤵
        
        PID:412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        207⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        205⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        206⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        204⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        205⤵
        Runs ping.exe
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        203⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        204⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        202⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        203⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        201⤵
        
        PID:952
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        202⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1308
        200⤵
        Program crash
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        199⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        200⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        198⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        199⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        197⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        198⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        196⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        197⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        195⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        196⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        194⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        195⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        193⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        194⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        192⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        193⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        191⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        192⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        190⤵
        
        PID:368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        191⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        189⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        190⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        188⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        189⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        187⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        188⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        186⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        187⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        185⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        186⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        184⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        185⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        183⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        184⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        182⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        183⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        181⤵
        
        PID:112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        182⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        180⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        181⤵
        Runs ping.exe
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        179⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        180⤵
        Runs ping.exe
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        178⤵
        
        PID:532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        179⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        177⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        178⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        176⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        177⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        175⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        176⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        174⤵
        
        PID:452
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        175⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        173⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        174⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        172⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        173⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        171⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        172⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        170⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        171⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        169⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        170⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        168⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        169⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        167⤵
        
        PID:844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        168⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        166⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        167⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        165⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        166⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        164⤵
        
        PID:536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        165⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        163⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        164⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        162⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        163⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        161⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        162⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        160⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        161⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        159⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        160⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        158⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        159⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        157⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        158⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        156⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        157⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        155⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        156⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        154⤵
        
        PID:996
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        155⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 1020
        153⤵
        Program crash
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        152⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        153⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        151⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        152⤵
        Runs ping.exe
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        150⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        151⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        149⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        150⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        148⤵
        
        PID:652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        149⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        147⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        148⤵
        
        PID:556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1020
        146⤵
        Program crash
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        145⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        146⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        144⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        145⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        143⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        144⤵
        Runs ping.exe
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        142⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        143⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        141⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        142⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        140⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        141⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        139⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        140⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        138⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        139⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        137⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        138⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        136⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        137⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        135⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        136⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        134⤵
        
        PID:636
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        135⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        133⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        134⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        132⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        133⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        131⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        132⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        130⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        131⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        129⤵
        
        PID:3356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        130⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        128⤵
        
        PID:2084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        129⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        127⤵
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        128⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        126⤵
        
        PID:2644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        127⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        125⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        126⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        124⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        125⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        123⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        124⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        122⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        123⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        121⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        122⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        120⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        121⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        119⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        120⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        118⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        119⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        117⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        118⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        116⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        117⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        115⤵
        
        PID:516
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        116⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        114⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        115⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        113⤵
        
        PID:64
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        114⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        112⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        113⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        111⤵
        
        PID:452
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        112⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        110⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        111⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        109⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        110⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        108⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        109⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        107⤵
        
        PID:2348
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        108⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        106⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        107⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        105⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        106⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        104⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        105⤵
        
        PID:676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        103⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        104⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        102⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        103⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        101⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        102⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        100⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        101⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        99⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        100⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        98⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        99⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        97⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        98⤵
        
        PID:724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        96⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        97⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        95⤵
        
        PID:4084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        96⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        96⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        94⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        95⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        93⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        94⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        92⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        93⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        91⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        92⤵
        Runs ping.exe
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        90⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        91⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        89⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        90⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        88⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        89⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        87⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        88⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        86⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        87⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        85⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        86⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        84⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        85⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        83⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        84⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        82⤵
        
        PID:312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        83⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        81⤵
        
        PID:464
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        82⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        80⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        81⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        79⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        80⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        78⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        79⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        77⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        78⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        76⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        77⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        75⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        76⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        74⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        75⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        73⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        74⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        72⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        73⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        71⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        72⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        70⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        71⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        69⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        68⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        69⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        67⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        68⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        66⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        67⤵
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        65⤵
        
        PID:4756
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        66⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        64⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        65⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        63⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        64⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        63⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        61⤵
        
        PID:2688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        62⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:1228
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        61⤵
        Runs ping.exe
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        59⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        60⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        58⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        57⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        58⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        57⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        56⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        55⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        54⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        52⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        51⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        49⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        49⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        48⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        46⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        46⤵
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        44⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        45⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        44⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        42⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        43⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        41⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        42⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        41⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        39⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        40⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        38⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        39⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        38⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        35⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        35⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        34⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        30⤵
        
        PID:412
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        31⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        29⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        28⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        26⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        27⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        25⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        24⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        25⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        23⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        24⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        22⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        23⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        22⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        22⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        21⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        18⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        19⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        17⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        18⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        16⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        17⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        14⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        15⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        13⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        12⤵
        
        PID:468
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        11⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        10⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        11⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        9⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        10⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        8⤵
        
        PID:4512
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        7⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:3488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        
        PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      PID:4404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1956 -ip 1956
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 592 -ip 592
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2260 -ip 2260
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4732 -ip 4732
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1720 -ip 1720
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1040 -ip 1040
1⤵
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat

Filesize
68B

MD5
0ea6f3ccdd3befbde13aeebea511c8a8

SHA1
284095a1da7a330e81653f94009e790b8c3e1e67

SHA256
59ebc73cf60b2bc40130d7a82007126d47a14f1f9538a82e7b4c269a64c666b1

SHA512
d38d7a8a965e75037e7868a560f29f01c17fca5b12b27508da364e3b97e1747684521e65bc848b426ce61a52a2fe4c52d33da8c97e461d9319be9d44b62e2afc

Download Submit
C:\Windows\SysWOW64\service32.exe

Filesize
718KB

MD5
652dcdf3001759e7aa4ebae996612070

SHA1
cfdc99daa2c78495eb3d779d219be46c4bbd76cb

SHA256
987610dc3a58d131c9f1d5a74b4ffb332d98f8ab42678006d1c09d1795ca0858

SHA512
22fee00cd45a94e510255aa6b17312da58c878eaed8017b6e97d5b040b81b5c7c23130ab64b3b29b05e361fa9273a9402eb15f4d81accaf60b2488a9762d423e

Download Submit
memory/232-154-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/232-223-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/412-282-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/516-275-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/552-110-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/724-200-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/872-290-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/968-126-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1316-43-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1676-32-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1680-137-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1716-121-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1816-192-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1992-286-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2000-88-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2072-12-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/2072-21-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2128-278-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2152-242-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2232-235-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2244-298-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2324-265-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2404-132-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2476-208-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2484-54-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2616-225-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2684-238-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2808-253-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2920-116-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2944-71-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2972-59-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3100-271-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3100-38-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3144-249-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3160-142-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3172-149-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3252-93-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3336-216-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3448-269-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3448-294-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3528-176-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3560-212-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3608-160-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3720-83-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3728-104-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3828-65-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3908-48-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3908-196-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3988-204-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4012-182-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4040-26-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4084-261-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4212-303-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4360-166-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4416-188-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4424-229-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4428-77-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4508-0-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4508-232-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4508-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4588-99-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4588-300-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4732-257-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4920-171-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4960-246-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4960-219-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download