Analysis
-
max time kernel
11s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 00:23
Static task
static1
Behavioral task
behavioral1
Sample
8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe
-
Size
36KB
-
MD5
8e3cb7a9bdf0add317bf3945bd7a5c01
-
SHA1
d8a96a84f61027d2913801414e8b3e8dde8d08f6
-
SHA256
d27b11aef2338d211b7ece957cdd00af16c6c6718f19dcae80b872e7adbad561
-
SHA512
17d056aa575238e4d1d241dbd916c3d31fc62b81d416fee809b6d36d6f4f3e76b2668a32e5621c537e6b1fb76d5f7bdf8ab837310cab9ca6931f9b9f3aef4c20
-
SSDEEP
768:AQGiHdn+ZnPW6hduWmSdFkHA+9HFiesI4Wn2b7o8Ekj:/VHx+ZnDjuPgER4W2bXEkj
Malware Config
Signatures
-
Detected Xorist Ransomware 1 IoCs
resource yara_rule behavioral2/memory/3080-87-0x0000000000400000-0x000000000040C000-memory.dmp family_xorist -
Xorist Ransomware
Xorist is a ransomware first seen in 2020.
-
Xorist family
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation joined.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 1.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation joined.exe -
Executes dropped EXE 4 IoCs
pid Process 5016 joined.exe 3872 1.exe 612 joined.exe 3080 loleee.exe -
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BBFOHMOINCAKLLD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe" joined.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\Win32.bat" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\Win32.bat" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\Win32.bat" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BMBKMKDMJJNGPEG = "C:\\Users\\Admin\\AppData\\Local\\Temp\\joined.exe" 8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NCLMBBNGPPHIFFB = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1.bat" joined.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Win32 = "C:\\Windows\\Win32.bat" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\Win32.bat" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\Win32.bat" reg.exe -
resource yara_rule behavioral2/files/0x0007000000023cae-76.dat upx behavioral2/memory/3080-83-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral2/memory/3080-87-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Win32.bat cmd.exe File created C:\Windows\Win32.bat cmd.exe File opened for modification C:\Windows\Win32.bat cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mode.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language loleee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language joined.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language joined.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Kills process with taskkill 5 IoCs
pid Process 4112 taskkill.exe 2260 taskkill.exe 3052 taskkill.exe 2500 taskkill.exe 3424 taskkill.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings 1.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings joined.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings explorer.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 4032 reg.exe 2696 reg.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 2044 NOTEPAD.EXE 3172 NOTEPAD.EXE 3980 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3648 wrote to memory of 5016 3648 8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe 84 PID 3648 wrote to memory of 5016 3648 8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe 84 PID 3648 wrote to memory of 5016 3648 8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe 84 PID 5016 wrote to memory of 3872 5016 joined.exe 85 PID 5016 wrote to memory of 3872 5016 joined.exe 85 PID 5016 wrote to memory of 3872 5016 joined.exe 85 PID 5016 wrote to memory of 4532 5016 joined.exe 86 PID 5016 wrote to memory of 4532 5016 joined.exe 86 PID 5016 wrote to memory of 4532 5016 joined.exe 86 PID 4532 wrote to memory of 2500 4532 cmd.exe 88 PID 4532 wrote to memory of 2500 4532 cmd.exe 88 PID 4532 wrote to memory of 2500 4532 cmd.exe 88 PID 4532 wrote to memory of 3424 4532 cmd.exe 89 PID 4532 wrote to memory of 3424 4532 cmd.exe 89 PID 4532 wrote to memory of 3424 4532 cmd.exe 89 PID 4532 wrote to memory of 4112 4532 cmd.exe 90 PID 4532 wrote to memory of 4112 4532 cmd.exe 90 PID 4532 wrote to memory of 4112 4532 cmd.exe 90 PID 4532 wrote to memory of 2260 4532 cmd.exe 91 PID 4532 wrote to memory of 2260 4532 cmd.exe 91 PID 4532 wrote to memory of 2260 4532 cmd.exe 91 PID 4532 wrote to memory of 3052 4532 cmd.exe 92 PID 4532 wrote to memory of 3052 4532 cmd.exe 92 PID 4532 wrote to memory of 3052 4532 cmd.exe 92 PID 4532 wrote to memory of 2696 4532 cmd.exe 93 PID 4532 wrote to memory of 2696 4532 cmd.exe 93 PID 4532 wrote to memory of 2696 4532 cmd.exe 93 PID 4532 wrote to memory of 4032 4532 cmd.exe 94 PID 4532 wrote to memory of 4032 4532 cmd.exe 94 PID 4532 wrote to memory of 4032 4532 cmd.exe 94 PID 4532 wrote to memory of 5088 4532 cmd.exe 95 PID 4532 wrote to memory of 5088 4532 cmd.exe 95 PID 4532 wrote to memory of 5088 4532 cmd.exe 95 PID 3872 wrote to memory of 3172 3872 1.exe 106 PID 3872 wrote to memory of 3172 3872 1.exe 106 PID 3872 wrote to memory of 3172 3872 1.exe 106 PID 3872 wrote to memory of 3980 3872 1.exe 107 PID 3872 wrote to memory of 3980 3872 1.exe 107 PID 3872 wrote to memory of 3980 3872 1.exe 107 PID 3872 wrote to memory of 2044 3872 1.exe 108 PID 3872 wrote to memory of 2044 3872 1.exe 108 PID 3872 wrote to memory of 2044 3872 1.exe 108 PID 3872 wrote to memory of 2332 3872 1.exe 110 PID 3872 wrote to memory of 2332 3872 1.exe 110 PID 3872 wrote to memory of 2332 3872 1.exe 110 PID 3872 wrote to memory of 3756 3872 1.exe 112 PID 3872 wrote to memory of 3756 3872 1.exe 112 PID 3872 wrote to memory of 3756 3872 1.exe 112 PID 3872 wrote to memory of 4460 3872 1.exe 114 PID 3872 wrote to memory of 4460 3872 1.exe 114 PID 3872 wrote to memory of 4460 3872 1.exe 114 PID 3872 wrote to memory of 1712 3872 1.exe 116 PID 3872 wrote to memory of 1712 3872 1.exe 116 PID 3872 wrote to memory of 1712 3872 1.exe 116 PID 3872 wrote to memory of 3472 3872 1.exe 118 PID 3872 wrote to memory of 3472 3872 1.exe 118 PID 3872 wrote to memory of 3472 3872 1.exe 118 PID 3872 wrote to memory of 612 3872 1.exe 119 PID 3872 wrote to memory of 612 3872 1.exe 119 PID 3872 wrote to memory of 612 3872 1.exe 119 PID 612 wrote to memory of 3080 612 joined.exe 121 PID 612 wrote to memory of 3080 612 joined.exe 121 PID 612 wrote to memory of 3080 612 joined.exe 121 PID 612 wrote to memory of 4956 612 joined.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e3cb7a9bdf0add317bf3945bd7a5c01_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\joined.exe"C:\Users\Admin\AppData\Local\Temp\joined.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1.txt4⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3172
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2.txt4⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:3980
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\3.txt4⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:2044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123.bat" "4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\cmd.execmd.exe5⤵
- System Location Discovery: System Language Discovery
PID:1444
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1736
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵
- System Location Discovery: System Language Discovery
PID:208
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5056
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵
- System Location Discovery: System Language Discovery
PID:3452
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4064
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵
- System Location Discovery: System Language Discovery
PID:1472
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1316
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵
- System Location Discovery: System Language Discovery
PID:1480
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2108
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:3416
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:2080
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:1524
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:1668
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:1252
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:32
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:1532
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:4532
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4384
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:4496
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4068
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:1736
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:1484
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:4980
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:1984
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:4344
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:3504
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3208
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4812
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5180
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5240
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5260
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5320
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5348
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5440
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5572
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5616
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5684
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5724
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5744
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5824
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5892
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5952
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6016
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6088
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6132
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5308
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5376
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5448
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5580
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5596
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5748
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5904
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5924
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:2928
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5492
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4896
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5704
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5428
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5652
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:2460
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5164
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:3512
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6176
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6236
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6328
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6352
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6436
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6484
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6544
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6616
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6740
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6772
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6852
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6876
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6932
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7020
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7048
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7112
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7140
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:1832
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3720
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:764
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6212
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6360
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6560
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6712
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6792
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6840
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7132
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7124
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3720
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6528
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6380
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7128
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:1980
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6312
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6564
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6860
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:2116
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7184
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7232
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7260
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7324
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7396
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7444
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7476
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7548
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7640
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7700
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7712
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7752
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7884
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7932
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8012
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8072
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8096
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7196
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7176
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:1756
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7352
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3652
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7500
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7628
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7724
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7812
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8028
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8172
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4452
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:4092
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8136
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:392
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7672
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7576
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7776
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:1956
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7844
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7216
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4092
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:380
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:2200
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7272
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7680
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3620
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:2108
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3584
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:3420
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8180
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:3584
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7608
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5360
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5076
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5540
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5396
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:3480
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:2792
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5876
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3672
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6108
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8200
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8312
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8368
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8404
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8492
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8556
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8620
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8688
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8740
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8752
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8784
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8892
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8936
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8956
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9000
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9076
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9152
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9184
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3428
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4492
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8260
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4816
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:5840
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6020
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8516
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8420
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8624
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8544
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8656
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8916
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8836
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4232
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3892
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9160
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6156
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:436
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9052
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8372
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6400
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9004
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6764
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:6764
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:512
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7292
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7336
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9232
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9252
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9320
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9340
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9380
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9416
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9444
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9464
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9568
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9612
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9636
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9660
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9704
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9760
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9776
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9804
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9856
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9876
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9912
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9948
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10020
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10048
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10092
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10120
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10164
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10192
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10232
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:2412
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4972
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3940
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9252
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9344
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9388
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9436
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7660
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7748
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9616
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7856
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9692
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7976
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9544
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9864
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9904
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9952
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10052
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7456
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10176
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7340
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:808
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3940
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9416
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7840
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:3520
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:8584
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9844
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:9920
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8944
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:6148
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10192
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7340
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:9504
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7900
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:8000
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:3428
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:4264
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7748
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:3648
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:2776
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7364
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:4716
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10292
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10320
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10360
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10388
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10420
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10448
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10520
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10576
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10592
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10620
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10660
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10680
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10736
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10764
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10812
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10840
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10880
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10908
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10948
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10976
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11008
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11068
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11092
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11128
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11152
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11208
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11228
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11256
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10264
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10308
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10408
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10532
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10588
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10616
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7200
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10784
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7412
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10928
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11056
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11084
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11128
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11204
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7756
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:1716
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7988
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10576
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10888
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10928
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7600
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11200
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:3228
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10304
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:7992
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10764
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:956
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10376
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:5924
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:10980
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10976
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:7936
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:10308
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11276
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11308
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11336
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11380
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11416
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11464
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11492
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11536
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11564
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11608
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11636
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11684
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11712
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11756
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11784
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11824
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11844
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11896
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11924
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:11968
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵PID:11988
-
-
C:\Windows\SysWOW64\cmd.execmd.exe5⤵PID:12036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1234.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:3756
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\22323.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:4460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\111111111.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\cmd.execmd.exe5⤵
- System Location Discovery: System Language Discovery
PID:852
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:456
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4076
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵
- System Location Discovery: System Language Discovery
PID:3852
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:2988
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:4508
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:4064
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:3852
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:1300
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:4612
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:796
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:5216
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:5448
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:5596
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:5788
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:5916
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:4980
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:5528
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:5656
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6008
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:5348
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:5656
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:4612
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6208
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6404
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6584
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6756
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6948
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6116
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6380
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6912
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:7076
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6784
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:6304
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:7016
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:7356
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:7596
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:7800
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:7968
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:8136
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:7360
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:7844
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:3480
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:8116
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:2316
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:8144
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:2696
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:1448
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:2188
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:436
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:5400
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:1012
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:8248
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:8460
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:8612
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:8836
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:9068
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:8212
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:8484
-
-
C:\Windows\SysWOW64\explorer.exeexplorer5⤵PID:9020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11111111111.bat" "4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3472 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5092
-
-
-
C:\Users\Admin\AppData\Local\Temp\joined.exe"C:\Users\Admin\AppData\Local\Temp\joined.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Users\Admin\AppData\Local\Temp\loleee.exe"C:\Users\Admin\AppData\Local\Temp\loleee.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3080
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i_love_you.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:4956
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im /f chrome.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2500
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im /f ie.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3424
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im /f firefox.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im /f opera.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2260
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im /f safari.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3052
-
-
C:\Windows\SysWOW64\reg.exeReg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.* /q4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2696
-
-
C:\Windows\SysWOW64\reg.exeReg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /q4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4032
-
-
C:\Windows\SysWOW64\mode.commode con cols=300 lines=3004⤵
- System Location Discovery: System Language Discovery
PID:5088
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
586B
MD542b8ac858501fb5599aa36fab93a68cb
SHA128395a8e27d4ab76fdd44906c75d091edf05fbe8
SHA256bece1215fc11acd5563adf9c5e7e8646b372cd76870ab59b7d72f1905db309c6
SHA51243c1a5a0403c636b13f63ef85f6d750b2953b13f5f453f6d4c3df6e14a2ec52be844e35af5eb9709161e3487b005786a138f127465534017f8a7bf988a683888
-
Filesize
23KB
MD572e95ba3f379d5edda2f933980431d08
SHA1e898ed60318be75fc2525deda7b4707c7fb8c204
SHA256734afd64d44d53fa04cf8594c0309f38ecd0e0c575930a8d45e11d902615dba6
SHA51248c1a1bcb7cea426c42f3249338f0a07777d8e80bbee816b6c3db34ae847d56d51cd8e051d8194a1b9a90db7fb15a0661afad0f330579f590cdeef03a51e0528
-
Filesize
597B
MD5f98a22300df9ca51692e0f53fb765a17
SHA1a6ce88e1d9bb9af200b07b35d7dbad6980772c06
SHA2563bde21e36850c2736f81b506f382b74d758b95a8a6d16955156e025e8b37b052
SHA5122c86973c70767effd8130599e088b6f860b842de0ba1b6a86253cad178facd05bb5d68ed26094f6dc31548cb77d571dbc7e8ffc8e5e9b4d17e0ae5e83c359368
-
Filesize
299B
MD59c0d6dd7590b85383f92110ba2067ab8
SHA14a6f1c8a8ab60bebcae64ad3805c9e5cba573f62
SHA256dc0d8e7e507daf70309f4c11006d7ccdbd0ab61561bf7abb918d6c037f36c776
SHA512054a5f274d83baafd68adb3d5ceb14ba6692a312710c4b49637500f1332f4779fae45d2d4da6720431541e8ff31e360ac1a3bd565c6b1a42a8969ce1f16745f8
-
Filesize
261B
MD5687493c0c554ef0fd64a465489ebfec3
SHA195ee9e48ca1e37f1649b19563bfbfc9d3e89f96c
SHA256f6c7fd9583079b635bc287f16a75b523a8c7835ebfec507651acafcc6f9e2949
SHA5124513de64db18483cf7951612f94aec62c2a2f987b4c45f1954ea813d9ff6b61dedf974c2a64f94acfde85b1bd1cc67b42adc999c9e5bd30160ef6738c8b22f03
-
Filesize
180B
MD5b1c85e1d07e17b862e30f06facc507f0
SHA16ecbdfc4df627a99141cbdf198a2f28c74a257da
SHA256742ddd73414f8eeba7c0810e4e8cb2b709679a4a40abe7358e264b7598852a25
SHA512b349cda563eea04b4a66d173f7a624b903758acd0607fa27c6f2c7caac2d014341a61c05c22970ed0941a4b054ae5cc5bf5a39fed2edb1223507235773c302e1
-
Filesize
471B
MD534fabeb198e7e9a704878a1772f827fb
SHA162c967ac7c815acc145e4c552a451feb8a5ec631
SHA2568356511f876c457169f1a9add844d3251b61044445e0c5bdb7a2564f4a5b0336
SHA512067af4b6fbb65860f13178dd580310f954e2fa2c923bae32e70b955f4c53c73ee5890f6f3aeeb2e182bddbf71caa1d0de46f1d5e4a08ae78fedf65d3b58d24bf
-
Filesize
428B
MD5e30cf4127b621f2a1bcee6e3ccc7f314
SHA1252c9cc9c18c45f6197aca02c914347afc69626c
SHA256380f98c3439484f2c98d026fc4e914e37af99dc5ba3ac304a9b06f1199b4aaa4
SHA5128abca2910dbcdaa526cfec4da59baf743cf838b7683e80479f3165a14a24df7eb1febc7eb85398270a4828442e42a520351ded790193f7785e3f67b679345444
-
Filesize
10KB
MD56fd161f0b621317ef1b11c5691968789
SHA155573a2394acd37487c7c129e518b5aeba6e53de
SHA25634425666bf83376566898bdedbf828ed604ec134d3a7f9bdc34184c4b79fa490
SHA5123ba1441e64131d4bf1d6f88a41cd4463635a0e15d6b5685afb975ae9703055a3c40441c0abe8e434285041d78f3c96fc53a06ff5666930095c5b4472bf3dd072
-
Filesize
29KB
MD5498d7216dd86cee1f0edb3e899ef838d
SHA108954f301067f2db71d240d1d52a8f9eb8a868a3
SHA256b8b83434b9d2ce49fde8ea763aaf521501b4f32831a4335d3f3cd05178db0d44
SHA51281ff25b9d5d898e6116a0d4ddd7056a3d8d47ed4710a8c9f1dcee0f45cf48e3a6d60cd508a603b40ff7fdfe4eb440f149b1553e8e35ecbc20905db6bf5cc4549
-
Filesize
16KB
MD5632625f678bdb8971cc63663e03f0c6c
SHA1a39855e1da3cd1d123f2ceab4ebcf25fbcf23851
SHA25639a40f6614a014e84f388e31fdf428834175737fab5448b20746a82796c5f957
SHA5129c3e20ccf67d2b02503a8d2a397785df93769adbd8df1b5c8ab80f344b6f4e24f5d4487d04e4fedfab758068c1a78679d0b7b53e12ca2fc73491cd3c8d2569e1
-
Filesize
6KB
MD5c0359eff2544c2e59037b6bc57afb535
SHA139412f5c9e6fd624312441ccbd85a498aed9637c
SHA256c955beab8021c516e967632d841aed7496c6bdaed70ddcaf65554dea48790a88
SHA51276c279bf4fab8918207162950b684be6fff293b364bca0884184f9a4663b747d2fdc84052812056ed3d07fe32a313f25b8ce39e00a9403e7d7e3efca7fd97f68