metasploit | dbb1f8653534a072152dcf5a1342525f43f1d66360c36dbe95b552a656e052ab

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/11/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe
Size

1.4MB
MD5

ae70e848f771cf4213fed3fe2d133315
SHA1

1cfd5997b0bad2af1483bac6d065fc466194dee3
SHA256

dbb1f8653534a072152dcf5a1342525f43f1d66360c36dbe95b552a656e052ab
SHA512

3c6fe5fb05ccdcb47f5607a18f0d899663a7eb0864086804b0164f7951b85aeab498c77ca7702658dab1035c81c936e8dd8f24c4980910e97e8144cb84999e6c
SSDEEP

24576:f+IH2bjuHmTN4JTl05UdqkYU56Upxde9+mI9zixlVHu:f+IYuwF5ObxG+Ixu

Score

10^/10

metasploit backdoor discovery evasion persistence privilege_escalation themida trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies security service 2 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 64 IoCs

pid	Process
1492	lcpgccj.exe
2160	qlxblhp.exe
2316	dbaebhu.exe
1636	iolenrz.exe
1960	zvlbrfq.exe
2996	oohobts.exe
2880	yzxzwwz.exe
2948	ykgjkds.exe
2352	nssjrnw.exe
1368	xcpueqc.exe
2044	nkbclhg.exe
2332	rbyxhor.exe
3020	pvbkxqy.exe
2824	egqxhea.exe
2372	rmhzvvl.exe
2428	gyquzai.exe
1996	qbffudo.exe
2828	dzazdlu.exe
1620	ckynsfc.exe
2676	sphiwkz.exe
2640	czwkrnn.exe
2668	mclueqt.exe
2864	zpdskus.exe
820	mrjawzx.exe
1792	wmksdtf.exe
2892	galibbk.exe
1060	trfkkjq.exe
868	gpansrw.exe
2220	qpmkdqd.exe
1812	dfhntqb.exe
2076	qecqcyg.exe
636	agrapbn.exe
2312	krpkceb.exe
1740	whjnlfy.exe
2744	kubdzix.exe
1588	ubfajhf.exe
2448	dhgyzps.exe
2552	odhipjt.exe
2576	bcblyry.exe
2344	lbgiiig.exe
2304	ydmytvk.exe
2432	ktobcdq.exe
2148	vstyubx.exe
2760	kmptepz.exe
944	xckwnyx.exe
1408	hniyabl.exe
2764	rpxinws.exe
2500	eoslwex.exe
2192	rbjbjiw.exe
1612	apkyzpj.exe
2024	loowkor.exe
448	vnstcnq.exe
2080	imvwlnw.exe
2016	ptiwxcf.exe
1520	cgamdge.exe
1412	pigbwti.exe
1580	zlvmkwx.exe
112	mjqgswu.exe
2100	wfrzaqd.exe
2340	mqomjmf.exe
1564	tyjmecp.exe
2476	gaptpot.exe
1768	nerhyzw.exe
1548	xhprucc.exe

Identifies Wine through registry keys 2 TTPs 64 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	inxzdbz.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	rwqdkxe.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	wmksdtf.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	sldxkql.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	feaxbje.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	svqelsn.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	hxvqwog.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	mrjawzx.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	wczjczx.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	mosabrh.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	swgatia.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	udoywex.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	nelemdc.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	paqazeg.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	lywifbq.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	fenliyx.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	boyposk.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	xbjikof.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	kqtxsjs.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	quhcdul.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	mzcucbe.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	lwbvdba.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	vktvypk.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	gueoxad.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	uhfwkjy.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	hxtrmur.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	gdqjbeu.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	vdxgmzi.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	ptiwxcf.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	jpmvtqo.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	rexvpys.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	ytrluqp.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	xcbrsti.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	wrkansp.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	Process not Found
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	ibrtgae.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	jyqnojt.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	qjtwsir.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	gpansrw.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	qecqcyg.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	vdzxkqu.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	jmssncg.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	shugxmb.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	lutguhu.exe

Loads dropped DLL 64 IoCs

pid	Process
2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe
2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe
1492	lcpgccj.exe
1492	lcpgccj.exe
2160	qlxblhp.exe
2160	qlxblhp.exe
2316	dbaebhu.exe
2316	dbaebhu.exe
1636	iolenrz.exe
1636	iolenrz.exe
1960	zvlbrfq.exe
1960	zvlbrfq.exe
2996	oohobts.exe
2996	oohobts.exe
2880	yzxzwwz.exe
2880	yzxzwwz.exe
2948	ykgjkds.exe
2948	ykgjkds.exe
2352	nssjrnw.exe
2352	nssjrnw.exe
1368	xcpueqc.exe
1368	xcpueqc.exe
2044	nkbclhg.exe
2044	nkbclhg.exe
2332	rbyxhor.exe
2332	rbyxhor.exe
3020	pvbkxqy.exe
3020	pvbkxqy.exe
2824	egqxhea.exe
2824	egqxhea.exe
2372	rmhzvvl.exe
2372	rmhzvvl.exe
2428	gyquzai.exe
2428	gyquzai.exe
1996	qbffudo.exe
1996	qbffudo.exe
2828	dzazdlu.exe
2828	dzazdlu.exe
1620	ckynsfc.exe
1620	ckynsfc.exe
2676	sphiwkz.exe
2676	sphiwkz.exe
2640	czwkrnn.exe
2640	czwkrnn.exe
2668	mclueqt.exe
2668	mclueqt.exe
2864	zpdskus.exe
2864	zpdskus.exe
820	mrjawzx.exe
820	mrjawzx.exe
1792	wmksdtf.exe
1792	wmksdtf.exe
2892	galibbk.exe
2892	galibbk.exe
1060	trfkkjq.exe
1060	trfkkjq.exe
868	gpansrw.exe
868	gpansrw.exe
2220	qpmkdqd.exe
2220	qpmkdqd.exe
1812	dfhntqb.exe
1812	dfhntqb.exe
2076	qecqcyg.exe
2076	qecqcyg.exe

Themida packer 64 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2820-0-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/files/0x0008000000016d30-124.dat	themida
behavioral1/memory/2820-128-0x0000000004CF0000-0x00000000050A7000-memory.dmp	themida
behavioral1/memory/1492-132-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1492-131-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1492-136-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2160-149-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1492-146-0x0000000004BC0000-0x0000000004F77000-memory.dmp	themida
behavioral1/memory/2316-163-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1636-176-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2316-178-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1960-190-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2996-319-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2996-450-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2880-448-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1960-401-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2948-577-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2880-696-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2044-977-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1368-966-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2332-1214-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/3020-1334-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2824-1452-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2372-1572-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2428-1692-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1996-1812-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2828-1932-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1620-2054-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2676-2172-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2640-2294-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2668-2412-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2864-2534-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/820-2652-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1792-2772-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2892-2892-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1060-3012-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/868-3132-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2220-3254-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1812-3268-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/636-3509-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2312-3628-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1740-3748-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2744-3868-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1588-3988-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2448-4108-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2552-4228-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2576-4348-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2344-4468-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2304-4588-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2432-4708-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2148-4829-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2760-4948-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/944-5068-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1408-5188-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2764-5308-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2500-5428-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2192-5548-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1612-5668-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2024-5788-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/448-5908-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2080-6028-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/2016-6148-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1520-6270-0x0000000000400000-0x00000000007B7000-memory.dmp	themida
behavioral1/memory/1412-6390-0x0000000000400000-0x00000000007B7000-memory.dmp	themida

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\traxawm.exe	gafusoh.exe
File opened for modification	C:\Windows\SysWOW64\kineazi.exe	Process not Found
File created	C:\Windows\SysWOW64\lkxcrca.exe	Process not Found
File created	C:\Windows\SysWOW64\sjwlrzj.exe	Process not Found
File created	C:\Windows\SysWOW64\nnoohwh.exe	awulyoc.exe
File created	C:\Windows\SysWOW64\gueoxad.exe	wvsrfbw.exe
File opened for modification	C:\Windows\SysWOW64\bbnidne.exe	llbaeda.exe
File created	C:\Windows\SysWOW64\boyposk.exe	oydmfke.exe
File created	C:\Windows\SysWOW64\apzhifu.exe	kznzbvq.exe
File opened for modification	C:\Windows\SysWOW64\dfamqer.exe	traxawm.exe
File created	C:\Windows\SysWOW64\eceknsp.exe	Process not Found
File created	C:\Windows\SysWOW64\rhmohhx.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jtpxesk.exe	wcnuvke.exe
File opened for modification	C:\Windows\SysWOW64\sbytnve.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\xddmkhl.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\blumcyw.exe	Process not Found
File created	C:\Windows\SysWOW64\xaufduu.exe	naiisvm.exe
File created	C:\Windows\SysWOW64\ekpdxob.exe	lknqsvh.exe
File opened for modification	C:\Windows\SysWOW64\qxmuwlg.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\qtniyjr.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ktobcdq.exe	ydmytvk.exe
File created	C:\Windows\SysWOW64\iileput.exe	Process not Found
File created	C:\Windows\SysWOW64\vclukkf.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\gflxlac.exe	wrkansp.exe
File opened for modification	C:\Windows\SysWOW64\jkajgpr.exe	Process not Found
File created	C:\Windows\SysWOW64\plzfwmp.exe	Process not Found
File created	C:\Windows\SysWOW64\vssqvml.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\apzhifu.exe	kznzbvq.exe
File created	C:\Windows\SysWOW64\wlsdhgu.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\lnbxoxl.exe	Process not Found
File created	C:\Windows\SysWOW64\vhlqlmy.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\apxibxd.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ggcdcce.exe	fpooeyr.exe
File opened for modification	C:\Windows\SysWOW64\jghtfmd.exe	aesjsrx.exe
File created	C:\Windows\SysWOW64\oydmfke.exe	bhajwkh.exe
File created	C:\Windows\SysWOW64\bwxhlil.exe	Process not Found
File created	C:\Windows\SysWOW64\xssbrzc.exe	Process not Found
File created	C:\Windows\SysWOW64\crcoysf.exe	Process not Found
File created	C:\Windows\SysWOW64\whjnlfy.exe	krpkceb.exe
File created	C:\Windows\SysWOW64\rmhzvvl.exe	egqxhea.exe
File opened for modification	C:\Windows\SysWOW64\jjxlmgy.exe	wscidxs.exe
File created	C:\Windows\SysWOW64\rtdqrym.exe	edanbqg.exe
File opened for modification	C:\Windows\SysWOW64\vvyqgts.exe	frydkgn.exe
File created	C:\Windows\SysWOW64\zjzzsgp.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\xmfayci.exe	Process not Found
File created	C:\Windows\SysWOW64\ggbmgws.exe	Process not Found
File created	C:\Windows\SysWOW64\rbyxhor.exe	nkbclhg.exe
File opened for modification	C:\Windows\SysWOW64\abrhqjx.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\squlwxt.exe	fazjfpo.exe
File created	C:\Windows\SysWOW64\lrwkxhq.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\rsavstq.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\axoygdt.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\wuazrei.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\jpmvtqo.exe	wrjskqq.exe
File opened for modification	C:\Windows\SysWOW64\wrkansp.exe	jtpxesk.exe
File created	C:\Windows\SysWOW64\kqkekrd.exe	Process not Found
File created	C:\Windows\SysWOW64\agrapbn.exe	qecqcyg.exe
File opened for modification	C:\Windows\SysWOW64\zkgzusy.exe	mtlwess.exe
File created	C:\Windows\SysWOW64\wscidxs.exe	mimyium.exe
File opened for modification	C:\Windows\SysWOW64\xvjbmgs.exe	kwhydym.exe
File opened for modification	C:\Windows\SysWOW64\kkomulb.exe	iwnxedo.exe
File created	C:\Windows\SysWOW64\glqfwqm.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\ofyikmn.exe	Process not Found
File created	C:\Windows\SysWOW64\ochqtef.exe	Process not Found

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qjtwsir.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfamqer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhusszt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyziqge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npjkofg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apzhifu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xtuzovm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs .reg file with regedit 64 IoCs

pid	Process
1716	regedit.exe
2628	regedit.exe
3416	Process not Found
3600	Process not Found
4780	Process not Found
2164	regedit.exe
1624	regedit.exe
2164	regedit.exe
3520	regedit.exe
2800	Process not Found
4544	Process not Found
1576	Process not Found
596	Process not Found
1708	regedit.exe
2400	regedit.exe
1692	Process not Found
4048	Process not Found
564	regedit.exe
3316	Process not Found
3544	Process not Found
1300	regedit.exe
788	regedit.exe
536	regedit.exe
2684	regedit.exe
2872	regedit.exe
2368	regedit.exe
948	regedit.exe
3368	Process not Found
2964	regedit.exe
3252	Process not Found
3556	Process not Found
3540	regedit.exe
2212	regedit.exe
596	regedit.exe
2724	regedit.exe
2868	regedit.exe
2852	regedit.exe
3552	Process not Found
2440	Process not Found
4716	Process not Found
2852	regedit.exe
2020	regedit.exe
2456	regedit.exe
3360	regedit.exe
1300	Process not Found
3452	Process not Found
4108	Process not Found
4368	Process not Found
2492	regedit.exe
4220	Process not Found
2852	regedit.exe
2052	regedit.exe
3640	Process not Found
4800	Process not Found
1160	Process not Found
772	regedit.exe
1004	regedit.exe
2424	regedit.exe
2520	regedit.exe
4776	Process not Found
1780	Process not Found
2268	regedit.exe
4580	Process not Found
4160	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe
1492	lcpgccj.exe
2160	qlxblhp.exe
2316	dbaebhu.exe
1636	iolenrz.exe
1960	zvlbrfq.exe
2996	oohobts.exe
2880	yzxzwwz.exe
2948	ykgjkds.exe
2352	nssjrnw.exe
1368	xcpueqc.exe
2044	nkbclhg.exe
2332	rbyxhor.exe
3020	pvbkxqy.exe
2824	egqxhea.exe
2372	rmhzvvl.exe
2428	gyquzai.exe
1996	qbffudo.exe
2828	dzazdlu.exe
1620	ckynsfc.exe
2676	sphiwkz.exe
2640	czwkrnn.exe
2668	mclueqt.exe
2864	zpdskus.exe
820	mrjawzx.exe
1792	wmksdtf.exe
2892	galibbk.exe
1060	trfkkjq.exe
868	gpansrw.exe
2220	qpmkdqd.exe
1812	dfhntqb.exe
2076	qecqcyg.exe
636	agrapbn.exe
2312	krpkceb.exe
1740	whjnlfy.exe
2744	kubdzix.exe
1588	ubfajhf.exe
2448	dhgyzps.exe
2552	odhipjt.exe
2576	bcblyry.exe
2344	lbgiiig.exe
2304	ydmytvk.exe
2432	ktobcdq.exe
2148	vstyubx.exe
2760	kmptepz.exe
944	xckwnyx.exe
1408	hniyabl.exe
2764	rpxinws.exe
2500	eoslwex.exe
2192	rbjbjiw.exe
1612	apkyzpj.exe
2024	loowkor.exe
448	vnstcnq.exe
2080	imvwlnw.exe
2016	ptiwxcf.exe
1520	cgamdge.exe
1412	pigbwti.exe
1580	zlvmkwx.exe
112	mjqgswu.exe
2100	wfrzaqd.exe
2340	mqomjmf.exe
1564	tyjmecp.exe
2476	gaptpot.exe
1768	nerhyzw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2596	2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe	266
PID 2820 wrote to memory of 2596	2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe	266
PID 2820 wrote to memory of 2596	2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe	266
PID 2820 wrote to memory of 2596	2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe	266
PID 2596 wrote to memory of 1352	2596	cmd.exe	49
PID 2596 wrote to memory of 1352	2596	cmd.exe	49
PID 2596 wrote to memory of 1352	2596	cmd.exe	49
PID 2596 wrote to memory of 1352	2596	cmd.exe	49
PID 2820 wrote to memory of 1492	2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe	32
PID 2820 wrote to memory of 1492	2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe	32
PID 2820 wrote to memory of 1492	2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe	32
PID 2820 wrote to memory of 1492	2820	ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe	32
PID 1492 wrote to memory of 2160	1492	lcpgccj.exe	33
PID 1492 wrote to memory of 2160	1492	lcpgccj.exe	33
PID 1492 wrote to memory of 2160	1492	lcpgccj.exe	33
PID 1492 wrote to memory of 2160	1492	lcpgccj.exe	33
PID 2160 wrote to memory of 2316	2160	qlxblhp.exe	34
PID 2160 wrote to memory of 2316	2160	qlxblhp.exe	34
PID 2160 wrote to memory of 2316	2160	qlxblhp.exe	34
PID 2160 wrote to memory of 2316	2160	qlxblhp.exe	34
PID 2316 wrote to memory of 1636	2316	dbaebhu.exe	35
PID 2316 wrote to memory of 1636	2316	dbaebhu.exe	35
PID 2316 wrote to memory of 1636	2316	dbaebhu.exe	35
PID 2316 wrote to memory of 1636	2316	dbaebhu.exe	35
PID 1636 wrote to memory of 1960	1636	iolenrz.exe	36
PID 1636 wrote to memory of 1960	1636	iolenrz.exe	36
PID 1636 wrote to memory of 1960	1636	iolenrz.exe	36
PID 1636 wrote to memory of 1960	1636	iolenrz.exe	36
PID 1960 wrote to memory of 1056	1960	zvlbrfq.exe	37
PID 1960 wrote to memory of 1056	1960	zvlbrfq.exe	37
PID 1960 wrote to memory of 1056	1960	zvlbrfq.exe	37
PID 1960 wrote to memory of 1056	1960	zvlbrfq.exe	37
PID 1056 wrote to memory of 2768	1056	cmd.exe	288
PID 1056 wrote to memory of 2768	1056	cmd.exe	288
PID 1056 wrote to memory of 2768	1056	cmd.exe	288
PID 1056 wrote to memory of 2768	1056	cmd.exe	288
PID 1960 wrote to memory of 2996	1960	zvlbrfq.exe	39
PID 1960 wrote to memory of 2996	1960	zvlbrfq.exe	39
PID 1960 wrote to memory of 2996	1960	zvlbrfq.exe	39
PID 1960 wrote to memory of 2996	1960	zvlbrfq.exe	39
PID 2996 wrote to memory of 2176	2996	oohobts.exe	127
PID 2996 wrote to memory of 2176	2996	oohobts.exe	127
PID 2996 wrote to memory of 2176	2996	oohobts.exe	127
PID 2996 wrote to memory of 2176	2996	oohobts.exe	127
PID 2996 wrote to memory of 2880	2996	oohobts.exe	42
PID 2996 wrote to memory of 2880	2996	oohobts.exe	42
PID 2996 wrote to memory of 2880	2996	oohobts.exe	42
PID 2996 wrote to memory of 2880	2996	oohobts.exe	42
PID 2176 wrote to memory of 2236	2176	cmd.exe	41
PID 2176 wrote to memory of 2236	2176	cmd.exe	41
PID 2176 wrote to memory of 2236	2176	cmd.exe	41
PID 2176 wrote to memory of 2236	2176	cmd.exe	41
PID 2880 wrote to memory of 692	2880	yzxzwwz.exe	43
PID 2880 wrote to memory of 692	2880	yzxzwwz.exe	43
PID 2880 wrote to memory of 692	2880	yzxzwwz.exe	43
PID 2880 wrote to memory of 692	2880	yzxzwwz.exe	43
PID 2880 wrote to memory of 2948	2880	yzxzwwz.exe	44
PID 2880 wrote to memory of 2948	2880	yzxzwwz.exe	44
PID 2880 wrote to memory of 2948	2880	yzxzwwz.exe	44
PID 2880 wrote to memory of 2948	2880	yzxzwwz.exe	44
PID 692 wrote to memory of 1812	692	cmd.exe	45
PID 692 wrote to memory of 1812	692	cmd.exe	45
PID 692 wrote to memory of 1812	692	cmd.exe	45
PID 692 wrote to memory of 1812	692	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    PID:1352
- C:\Windows\SysWOW64\lcpgccj.exe
  C:\Windows\system32\lcpgccj.exe 656 "C:\Users\Admin\AppData\Local\Temp\ae70e848f771cf4213fed3fe2d133315_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\qlxblhp.exe
    C:\Windows\system32\qlxblhp.exe 632 "C:\Windows\SysWOW64\lcpgccj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\dbaebhu.exe
      C:\Windows\system32\dbaebhu.exe 712 "C:\Windows\SysWOW64\qlxblhp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\iolenrz.exe
        
        C:\Windows\system32\iolenrz.exe 636 "C:\Windows\SysWOW64\dbaebhu.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\SysWOW64\zvlbrfq.exe
        
        C:\Windows\system32\zvlbrfq.exe 624 "C:\Windows\SysWOW64\iolenrz.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\oohobts.exe
        
        C:\Windows\system32\oohobts.exe 728 "C:\Windows\SysWOW64\zvlbrfq.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\yzxzwwz.exe
        
        C:\Windows\system32\yzxzwwz.exe 736 "C:\Windows\SysWOW64\oohobts.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\ykgjkds.exe
        
        C:\Windows\system32\ykgjkds.exe 648 "C:\Windows\SysWOW64\yzxzwwz.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        10⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\nssjrnw.exe
        
        C:\Windows\system32\nssjrnw.exe 740 "C:\Windows\SysWOW64\ykgjkds.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        11⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\xcpueqc.exe
        
        C:\Windows\system32\xcpueqc.exe 744 "C:\Windows\SysWOW64\nssjrnw.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        12⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\nkbclhg.exe
        
        C:\Windows\system32\nkbclhg.exe 752 "C:\Windows\SysWOW64\xcpueqc.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        13⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\rbyxhor.exe
        
        C:\Windows\system32\rbyxhor.exe 660 "C:\Windows\SysWOW64\nkbclhg.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        14⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        15⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\pvbkxqy.exe
        
        C:\Windows\system32\pvbkxqy.exe 676 "C:\Windows\SysWOW64\rbyxhor.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        15⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        16⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\egqxhea.exe
        
        C:\Windows\system32\egqxhea.exe 764 "C:\Windows\SysWOW64\pvbkxqy.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        16⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        17⤵
        Runs .reg file with regedit
        
        PID:1004
        
        C:\Windows\SysWOW64\rmhzvvl.exe
        
        C:\Windows\system32\rmhzvvl.exe 768 "C:\Windows\SysWOW64\egqxhea.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        17⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        18⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\gyquzai.exe
        
        C:\Windows\system32\gyquzai.exe 772 "C:\Windows\SysWOW64\rmhzvvl.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        18⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        19⤵
        Modifies security service
        
        PID:964
        
        C:\Windows\SysWOW64\qbffudo.exe
        
        C:\Windows\system32\qbffudo.exe 776 "C:\Windows\SysWOW64\gyquzai.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        19⤵
        
        PID:864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        20⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\dzazdlu.exe
        
        C:\Windows\system32\dzazdlu.exe 780 "C:\Windows\SysWOW64\qbffudo.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        20⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        21⤵
        
        PID:692
        
        C:\Windows\SysWOW64\ckynsfc.exe
        
        C:\Windows\system32\ckynsfc.exe 784 "C:\Windows\SysWOW64\dzazdlu.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        21⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        22⤵
        
        PID:588
        
        C:\Windows\SysWOW64\sphiwkz.exe
        
        C:\Windows\system32\sphiwkz.exe 760 "C:\Windows\SysWOW64\ckynsfc.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        22⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        23⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\czwkrnn.exe
        
        C:\Windows\system32\czwkrnn.exe 756 "C:\Windows\SysWOW64\sphiwkz.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        23⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        24⤵
        Modifies security service
        
        PID:2016
        
        C:\Windows\SysWOW64\mclueqt.exe
        
        C:\Windows\system32\mclueqt.exe 796 "C:\Windows\SysWOW64\czwkrnn.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        24⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        25⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\zpdskus.exe
        
        C:\Windows\system32\zpdskus.exe 800 "C:\Windows\SysWOW64\mclueqt.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        26⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\mrjawzx.exe
        
        C:\Windows\system32\mrjawzx.exe 804 "C:\Windows\SysWOW64\zpdskus.exe"
        25⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        26⤵
        
        PID:788
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        27⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\wmksdtf.exe
        
        C:\Windows\system32\wmksdtf.exe 808 "C:\Windows\SysWOW64\mrjawzx.exe"
        26⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        27⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        28⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\galibbk.exe
        
        C:\Windows\system32\galibbk.exe 816 "C:\Windows\SysWOW64\wmksdtf.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        28⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        29⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\trfkkjq.exe
        
        C:\Windows\system32\trfkkjq.exe 812 "C:\Windows\SysWOW64\galibbk.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        29⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        30⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\gpansrw.exe
        
        C:\Windows\system32\gpansrw.exe 828 "C:\Windows\SysWOW64\trfkkjq.exe"
        29⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        30⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\qpmkdqd.exe
        
        C:\Windows\system32\qpmkdqd.exe 820 "C:\Windows\SysWOW64\gpansrw.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        31⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        32⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\dfhntqb.exe
        
        C:\Windows\system32\dfhntqb.exe 824 "C:\Windows\SysWOW64\qpmkdqd.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        32⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        33⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\qecqcyg.exe
        
        C:\Windows\system32\qecqcyg.exe 832 "C:\Windows\SysWOW64\dfhntqb.exe"
        32⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        33⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        34⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\agrapbn.exe
        
        C:\Windows\system32\agrapbn.exe 836 "C:\Windows\SysWOW64\qecqcyg.exe"
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        34⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        35⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\krpkceb.exe
        
        C:\Windows\system32\krpkceb.exe 840 "C:\Windows\SysWOW64\agrapbn.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        35⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        36⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\whjnlfy.exe
        
        C:\Windows\system32\whjnlfy.exe 844 "C:\Windows\SysWOW64\krpkceb.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        36⤵
        
        PID:588
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        37⤵
        Runs .reg file with regedit
        
        PID:2492
        
        C:\Windows\SysWOW64\kubdzix.exe
        
        C:\Windows\system32\kubdzix.exe 848 "C:\Windows\SysWOW64\whjnlfy.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        37⤵
        
        PID:716
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        38⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\ubfajhf.exe
        
        C:\Windows\system32\ubfajhf.exe 856 "C:\Windows\SysWOW64\kubdzix.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        38⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        39⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\dhgyzps.exe
        
        C:\Windows\system32\dhgyzps.exe 852 "C:\Windows\SysWOW64\ubfajhf.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        39⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\odhipjt.exe
        
        C:\Windows\system32\odhipjt.exe 860 "C:\Windows\SysWOW64\dhgyzps.exe"
        39⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        40⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        41⤵
        Runs .reg file with regedit
        
        PID:2020
        
        C:\Windows\SysWOW64\bcblyry.exe
        
        C:\Windows\system32\bcblyry.exe 864 "C:\Windows\SysWOW64\odhipjt.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        41⤵
        
        PID:816
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        42⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\lbgiiig.exe
        
        C:\Windows\system32\lbgiiig.exe 868 "C:\Windows\SysWOW64\bcblyry.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        42⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        43⤵
        Runs .reg file with regedit
        
        PID:536
        
        C:\Windows\SysWOW64\ydmytvk.exe
        
        C:\Windows\system32\ydmytvk.exe 872 "C:\Windows\SysWOW64\lbgiiig.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        43⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        44⤵
        
        PID:884
        
        C:\Windows\SysWOW64\ktobcdq.exe
        
        C:\Windows\system32\ktobcdq.exe 876 "C:\Windows\SysWOW64\ydmytvk.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        44⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        45⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\vstyubx.exe
        
        C:\Windows\system32\vstyubx.exe 880 "C:\Windows\SysWOW64\ktobcdq.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        45⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        46⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\kmptepz.exe
        
        C:\Windows\system32\kmptepz.exe 884 "C:\Windows\SysWOW64\vstyubx.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        46⤵
        
        PID:644
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        47⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\xckwnyx.exe
        
        C:\Windows\system32\xckwnyx.exe 888 "C:\Windows\SysWOW64\kmptepz.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        47⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        48⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\hniyabl.exe
        
        C:\Windows\system32\hniyabl.exe 892 "C:\Windows\SysWOW64\xckwnyx.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        48⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        49⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\rpxinws.exe
        
        C:\Windows\system32\rpxinws.exe 896 "C:\Windows\SysWOW64\hniyabl.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        49⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        50⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\eoslwex.exe
        
        C:\Windows\system32\eoslwex.exe 900 "C:\Windows\SysWOW64\rpxinws.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        50⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        51⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\rbjbjiw.exe
        
        C:\Windows\system32\rbjbjiw.exe 912 "C:\Windows\SysWOW64\eoslwex.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        51⤵
        
        PID:964
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        52⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\apkyzpj.exe
        
        C:\Windows\system32\apkyzpj.exe 904 "C:\Windows\SysWOW64\rbjbjiw.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        52⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\Windows\SysWOW64\loowkor.exe
        
        C:\Windows\system32\loowkor.exe 920 "C:\Windows\SysWOW64\apkyzpj.exe"
        52⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        53⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        54⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\vnstcnq.exe
        
        C:\Windows\system32\vnstcnq.exe 908 "C:\Windows\SysWOW64\loowkor.exe"
        53⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        54⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        55⤵
        Runs .reg file with regedit
        
        PID:564
        
        C:\Windows\SysWOW64\imvwlnw.exe
        
        C:\Windows\system32\imvwlnw.exe 928 "C:\Windows\SysWOW64\vnstcnq.exe"
        54⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        55⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        56⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\ptiwxcf.exe
        
        C:\Windows\system32\ptiwxcf.exe 916 "C:\Windows\SysWOW64\imvwlnw.exe"
        55⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        56⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        57⤵
        Runs .reg file with regedit
        
        PID:2852
        
        C:\Windows\SysWOW64\cgamdge.exe
        
        C:\Windows\system32\cgamdge.exe 924 "C:\Windows\SysWOW64\ptiwxcf.exe"
        56⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        57⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        58⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\pigbwti.exe
        
        C:\Windows\system32\pigbwti.exe 932 "C:\Windows\SysWOW64\cgamdge.exe"
        57⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        58⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        59⤵
        Runs .reg file with regedit
        
        PID:1708
        
        C:\Windows\SysWOW64\zlvmkwx.exe
        
        C:\Windows\system32\zlvmkwx.exe 936 "C:\Windows\SysWOW64\pigbwti.exe"
        58⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        59⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        60⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\mjqgswu.exe
        
        C:\Windows\system32\mjqgswu.exe 940 "C:\Windows\SysWOW64\zlvmkwx.exe"
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        60⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        61⤵
        Runs .reg file with regedit
        
        PID:772
        
        C:\Windows\SysWOW64\wfrzaqd.exe
        
        C:\Windows\system32\wfrzaqd.exe 944 "C:\Windows\SysWOW64\mjqgswu.exe"
        60⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        62⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\mqomjmf.exe
        
        C:\Windows\system32\mqomjmf.exe 948 "C:\Windows\SysWOW64\wfrzaqd.exe"
        61⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        62⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        63⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\tyjmecp.exe
        
        C:\Windows\system32\tyjmecp.exe 952 "C:\Windows\SysWOW64\mqomjmf.exe"
        62⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        63⤵
        
        PID:584
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        64⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\gaptpot.exe
        
        C:\Windows\system32\gaptpot.exe 956 "C:\Windows\SysWOW64\tyjmecp.exe"
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        64⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\nerhyzw.exe
        
        C:\Windows\system32\nerhyzw.exe 960 "C:\Windows\SysWOW64\gaptpot.exe"
        64⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        65⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        66⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\xhprucc.exe
        
        C:\Windows\system32\xhprucc.exe 964 "C:\Windows\SysWOW64\nerhyzw.exe"
        65⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        66⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        67⤵
        Runs .reg file with regedit
        
        PID:2964
        
        C:\Windows\SysWOW64\zcibbxl.exe
        
        C:\Windows\system32\zcibbxl.exe 968 "C:\Windows\SysWOW64\xhprucc.exe"
        66⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        68⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\pwewlln.exe
        
        C:\Windows\system32\pwewlln.exe 972 "C:\Windows\SysWOW64\zcibbxl.exe"
        67⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        68⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        69⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\zrfhsfo.exe
        
        C:\Windows\system32\zrfhsfo.exe 976 "C:\Windows\SysWOW64\pwewlln.exe"
        68⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        69⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        70⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\mtlwess.exe
        
        C:\Windows\system32\mtlwess.exe 980 "C:\Windows\SysWOW64\zrfhsfo.exe"
        69⤵
        Drops file in System32 directory
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        70⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        71⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\zkgzusy.exe
        
        C:\Windows\system32\zkgzusy.exe 984 "C:\Windows\SysWOW64\mtlwess.exe"
        70⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        71⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        72⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\mmmpgec.exe
        
        C:\Windows\system32\mmmpgec.exe 792 "C:\Windows\SysWOW64\zkgzusy.exe"
        71⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        72⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        73⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\txtuvyt.exe
        
        C:\Windows\system32\txtuvyt.exe 992 "C:\Windows\SysWOW64\mmmpgec.exe"
        72⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        73⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        74⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\iqqhfmv.exe
        
        C:\Windows\system32\iqqhfmv.exe 996 "C:\Windows\SysWOW64\txtuvyt.exe"
        73⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        74⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        75⤵
        Runs .reg file with regedit
        
        PID:788
        
        C:\Windows\SysWOW64\vdzxkqu.exe
        
        C:\Windows\system32\vdzxkqu.exe 1000 "C:\Windows\SysWOW64\iqqhfmv.exe"
        74⤵
        Identifies Wine through registry keys
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        75⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        76⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\iccztyz.exe
        
        C:\Windows\system32\iccztyz.exe 1004 "C:\Windows\SysWOW64\vdzxkqu.exe"
        75⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        76⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        77⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\sbgxlxh.exe
        
        C:\Windows\system32\sbgxlxh.exe 988 "C:\Windows\SysWOW64\iccztyz.exe"
        76⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        77⤵
        
        PID:584
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        78⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cphubem.exe
        
        C:\Windows\system32\cphubem.exe 1012 "C:\Windows\SysWOW64\sbgxlxh.exe"
        77⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        78⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        79⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\pcqkhat.exe
        
        C:\Windows\system32\pcqkhat.exe 1016 "C:\Windows\SysWOW64\cphubem.exe"
        78⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        79⤵
        
        PID:864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        80⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\zfoucdz.exe
        
        C:\Windows\system32\zfoucdz.exe 1020 "C:\Windows\SysWOW64\pcqkhat.exe"
        79⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        80⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        81⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\jmssncg.exe
        
        C:\Windows\system32\jmssncg.exe 1028 "C:\Windows\SysWOW64\zfoucdz.exe"
        80⤵
        Identifies Wine through registry keys
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        82⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\wcnuvke.exe
        
        C:\Windows\system32\wcnuvke.exe 1032 "C:\Windows\SysWOW64\jmssncg.exe"
        81⤵
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        82⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        83⤵
        Modifies security service
        
        PID:2156
        
        C:\Windows\SysWOW64\jtpxesk.exe
        
        C:\Windows\system32\jtpxesk.exe 1036 "C:\Windows\SysWOW64\wcnuvke.exe"
        82⤵
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        83⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        84⤵
        Modifies security service
        
        PID:1560
        
        C:\Windows\SysWOW64\wrkansp.exe
        
        C:\Windows\system32\wrkansp.exe 1040 "C:\Windows\SysWOW64\jtpxesk.exe"
        83⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        84⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        85⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\gflxlac.exe
        
        C:\Windows\system32\gflxlac.exe 1044 "C:\Windows\SysWOW64\wrkansp.exe"
        84⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        85⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        86⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\swgatia.exe
        
        C:\Windows\system32\swgatia.exe 1048 "C:\Windows\SysWOW64\gflxlac.exe"
        85⤵
        Identifies Wine through registry keys
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        86⤵
        
        PID:476
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        87⤵
        Runs .reg file with regedit
        
        PID:1300
        
        C:\Windows\SysWOW64\fmjccif.exe
        
        C:\Windows\system32\fmjccif.exe 788 "C:\Windows\SysWOW64\swgatia.exe"
        86⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        87⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        88⤵
        Modifies security service
        
        PID:2496
        
        C:\Windows\SysWOW64\sldxkql.exe
        
        C:\Windows\system32\sldxkql.exe 1056 "C:\Windows\SysWOW64\fmjccif.exe"
        87⤵
        Identifies Wine through registry keys
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        88⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        89⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cntiytr.exe
        
        C:\Windows\system32\cntiytr.exe 1064 "C:\Windows\SysWOW64\sldxkql.exe"
        88⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        89⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        90⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\pmokgcx.exe
        
        C:\Windows\system32\pmokgcx.exe 1060 "C:\Windows\SysWOW64\cntiytr.exe"
        89⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        90⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        91⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\zplvcfd.exe
        
        C:\Windows\system32\zplvcfd.exe 1068 "C:\Windows\SysWOW64\pmokgcx.exe"
        90⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        92⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\pblqgka.exe
        
        C:\Windows\system32\pblqgka.exe 1072 "C:\Windows\SysWOW64\zplvcfd.exe"
        91⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        92⤵
        
        PID:332
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        93⤵
        Runs .reg file with regedit
        
        PID:2268
        
        C:\Windows\SysWOW64\zapnqjh.exe
        
        C:\Windows\system32\zapnqjh.exe 1076 "C:\Windows\SysWOW64\pblqgka.exe"
        92⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        93⤵
        
        PID:288
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        94⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\jdnxdmo.exe
        
        C:\Windows\system32\jdnxdmo.exe 1080 "C:\Windows\SysWOW64\zapnqjh.exe"
        93⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        94⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        95⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\opgfwoa.exe
        
        C:\Windows\system32\opgfwoa.exe 1084 "C:\Windows\SysWOW64\jdnxdmo.exe"
        94⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        95⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        96⤵
        Modifies security service
        
        PID:1464
        
        C:\Windows\SysWOW64\bgbifwy.exe
        
        C:\Windows\system32\bgbifwy.exe 1088 "C:\Windows\SysWOW64\opgfwoa.exe"
        95⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        96⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\nihyqik.exe
        
        C:\Windows\system32\nihyqik.exe 1092 "C:\Windows\SysWOW64\bgbifwy.exe"
        96⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        97⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        98⤵
        
        PID:408
        
        C:\Windows\SysWOW64\aknfknp.exe
        
        C:\Windows\system32\aknfknp.exe 1096 "C:\Windows\SysWOW64\nihyqik.exe"
        97⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        98⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        99⤵
        
        PID:588
        
        C:\Windows\SysWOW64\naiisvm.exe
        
        C:\Windows\system32\naiisvm.exe 1100 "C:\Windows\SysWOW64\aknfknp.exe"
        98⤵
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        100⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\xaufduu.exe
        
        C:\Windows\system32\xaufduu.exe 1104 "C:\Windows\SysWOW64\naiisvm.exe"
        99⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        100⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\hhylnsb.exe
        
        C:\Windows\system32\hhylnsb.exe 1052 "C:\Windows\SysWOW64\xaufduu.exe"
        100⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        101⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        102⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\xsvyxge.exe
        
        C:\Windows\system32\xsvyxge.exe 1108 "C:\Windows\SysWOW64\hhylnsb.exe"
        101⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        102⤵
        
        PID:332
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        103⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\ewflozo.exe
        
        C:\Windows\system32\ewflozo.exe 684 "C:\Windows\SysWOW64\xsvyxge.exe"
        102⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        103⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\lpeqdtx.exe
        
        C:\Windows\system32\lpeqdtx.exe 1120 "C:\Windows\SysWOW64\ewflozo.exe"
        103⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        104⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        105⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\bbbdnhz.exe
        
        C:\Windows\system32\bbbdnhz.exe 1124 "C:\Windows\SysWOW64\lpeqdtx.exe"
        104⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        105⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        106⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\lwbvdba.exe
        
        C:\Windows\system32\lwbvdba.exe 1128 "C:\Windows\SysWOW64\bbbdnhz.exe"
        105⤵
        Identifies Wine through registry keys
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        106⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        107⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\tepoprj.exe
        
        C:\Windows\system32\tepoprj.exe 652 "C:\Windows\SysWOW64\lwbvdba.exe"
        106⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        107⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        108⤵
        Runs .reg file with regedit
        
        PID:2684
        
        C:\Windows\SysWOW64\daqgwlk.exe
        
        C:\Windows\system32\daqgwlk.exe 664 "C:\Windows\SysWOW64\tepoprj.exe"
        107⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        109⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\qcwoqyw.exe
        
        C:\Windows\system32\qcwoqyw.exe 1140 "C:\Windows\SysWOW64\daqgwlk.exe"
        108⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        109⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        110⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\amlydbd.exe
        
        C:\Windows\system32\amlydbd.exe 1144 "C:\Windows\SysWOW64\qcwoqyw.exe"
        109⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        110⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        111⤵
        
        PID:772
        
        C:\Windows\SysWOW64\klxvnak.exe
        
        C:\Windows\system32\klxvnak.exe 1136 "C:\Windows\SysWOW64\amlydbd.exe"
        110⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        111⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        112⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\uhqodul.exe
        
        C:\Windows\system32\uhqodul.exe 1148 "C:\Windows\SysWOW64\klxvnak.exe"
        111⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        112⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        113⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\hxtrmur.exe
        
        C:\Windows\system32\hxtrmur.exe 1156 "C:\Windows\SysWOW64\uhqodul.exe"
        112⤵
        Identifies Wine through registry keys
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        113⤵
        
        PID:288
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        114⤵
        Modifies security service
        
        PID:2604
        
        C:\Windows\SysWOW64\mwotudo.exe
        
        C:\Windows\system32\mwotudo.exe 1152 "C:\Windows\SysWOW64\hxtrmur.exe"
        113⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        114⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        115⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\wvsrfbw.exe
        
        C:\Windows\system32\wvsrfbw.exe 1164 "C:\Windows\SysWOW64\mwotudo.exe"
        114⤵
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        115⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        116⤵
        
        PID:340
        
        C:\Windows\SysWOW64\gueoxad.exe
        
        C:\Windows\system32\gueoxad.exe 1160 "C:\Windows\SysWOW64\wvsrfbw.exe"
        115⤵
        Identifies Wine through registry keys
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        116⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        117⤵
        Modifies security service
        
        PID:536
        
        C:\Windows\SysWOW64\lhxwiki.exe
        
        C:\Windows\system32\lhxwiki.exe 644 "C:\Windows\SysWOW64\gueoxad.exe"
        116⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        117⤵
        
        PID:692
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        118⤵
        
        PID:908
        
        C:\Windows\SysWOW64\yxszrkn.exe
        
        C:\Windows\system32\yxszrkn.exe 1180 "C:\Windows\SysWOW64\lhxwiki.exe"
        117⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        118⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\nrpmagq.exe
        
        C:\Windows\system32\nrpmagq.exe 1176 "C:\Windows\SysWOW64\yxszrkn.exe"
        118⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        119⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        120⤵
        
        PID:716
        
        C:\Windows\SysWOW64\shugxmb.exe
        
        C:\Windows\system32\shugxmb.exe 672 "C:\Windows\SysWOW64\nrpmagq.exe"
        119⤵
        Identifies Wine through registry keys
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        120⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        121⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\ibrtgae.exe
        
        C:\Windows\system32\ibrtgae.exe 1184 "C:\Windows\SysWOW64\shugxmb.exe"
        120⤵
        Identifies Wine through registry keys
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        121⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        122⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\rdgetds.exe
        
        C:\Windows\system32\rdgetds.exe 1188 "C:\Windows\SysWOW64\ibrtgae.exe"
        121⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        122⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        123⤵
        Runs .reg file with regedit
        
        PID:1624
        
        C:\Windows\SysWOW64\htrmauo.exe
        
        C:\Windows\system32\htrmauo.exe 1196 "C:\Windows\SysWOW64\rdgetds.exe"
        122⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        123⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        124⤵
        
        PID:692
        
        C:\Windows\SysWOW64\pxcrsfy.exe
        
        C:\Windows\system32\pxcrsfy.exe 680 "C:\Windows\SysWOW64\htrmauo.exe"
        123⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        124⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        125⤵
        Runs .reg file with regedit
        
        PID:2868
        
        C:\Windows\SysWOW64\zwgwcey.exe
        
        C:\Windows\system32\zwgwcey.exe 716 "C:\Windows\SysWOW64\pxcrsfy.exe"
        124⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        126⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\mnizlmd.exe
        
        C:\Windows\system32\mnizlmd.exe 1208 "C:\Windows\SysWOW64\zwgwcey.exe"
        125⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        126⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        127⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\wxybgqk.exe
        
        C:\Windows\system32\wxybgqk.exe 1204 "C:\Windows\SysWOW64\mnizlmd.exe"
        126⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        127⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        128⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\gtzunks.exe
        
        C:\Windows\system32\gtzunks.exe 668 "C:\Windows\SysWOW64\wxybgqk.exe"
        127⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        128⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        129⤵
        Modifies security service
        
        PID:1684
        
        C:\Windows\SysWOW64\tnfkzpx.exe
        
        C:\Windows\system32\tnfkzpx.exe 1220 "C:\Windows\SysWOW64\gtzunks.exe"
        128⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        129⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        130⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\dujhjne.exe
        
        C:\Windows\system32\dujhjne.exe 720 "C:\Windows\SysWOW64\tnfkzpx.exe"
        129⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        130⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        131⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\qlekavc.exe
        
        C:\Windows\system32\qlekavc.exe 1228 "C:\Windows\SysWOW64\dujhjne.exe"
        130⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        131⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        132⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\feaxbje.exe
        
        C:\Windows\system32\feaxbje.exe 1224 "C:\Windows\SysWOW64\qlekavc.exe"
        131⤵
        Identifies Wine through registry keys
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        132⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        133⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\nmwpwzo.exe
        
        C:\Windows\system32\nmwpwzo.exe 1236 "C:\Windows\SysWOW64\feaxbje.exe"
        132⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        133⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        134⤵
        Runs .reg file with regedit
        
        PID:2164
        
        C:\Windows\SysWOW64\acrreht.exe
        
        C:\Windows\system32\acrreht.exe 732 "C:\Windows\SysWOW64\nmwpwzo.exe"
        133⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        134⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        135⤵
        Runs .reg file with regedit
        
        PID:2852
        
        C:\Windows\SysWOW64\jngcska.exe
        
        C:\Windows\system32\jngcska.exe 688 "C:\Windows\SysWOW64\acrreht.exe"
        134⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        135⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        136⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2872
        
        C:\Windows\SysWOW64\zdakyud.exe
        
        C:\Windows\system32\zdakyud.exe 1248 "C:\Windows\SysWOW64\jngcska.exe"
        135⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        136⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        137⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\jcehrsl.exe
        
        C:\Windows\system32\jcehrsl.exe 1244 "C:\Windows\SysWOW64\zdakyud.exe"
        136⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        137⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        138⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\jyqnojt.exe
        
        C:\Windows\system32\jyqnojt.exe 1240 "C:\Windows\SysWOW64\jcehrsl.exe"
        137⤵
        Identifies Wine through registry keys
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        138⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        139⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\bjdfvhu.exe
        
        C:\Windows\system32\bjdfvhu.exe 1260 "C:\Windows\SysWOW64\jyqnojt.exe"
        138⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        140⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\innkfaf.exe
        
        C:\Windows\system32\innkfaf.exe 1232 "C:\Windows\SysWOW64\bjdfvhu.exe"
        139⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        140⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        141⤵
        
        PID:824
        
        C:\Windows\SysWOW64\vsxntii.exe
        
        C:\Windows\system32\vsxntii.exe 1264 "C:\Windows\SysWOW64\innkfaf.exe"
        140⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        141⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\kaqnaal.exe
        
        C:\Windows\system32\kaqnaal.exe 1272 "C:\Windows\SysWOW64\vsxntii.exe"
        141⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        142⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        143⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\vhusszt.exe
        
        C:\Windows\system32\vhusszt.exe 1268 "C:\Windows\SysWOW64\kaqnaal.exe"
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        143⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        144⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cstxhtb.exe
        
        C:\Windows\system32\cstxhtb.exe 1280 "C:\Windows\SysWOW64\vhusszt.exe"
        143⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        144⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        145⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\mouhpnc.exe
        
        C:\Windows\system32\mouhpnc.exe 692 "C:\Windows\SysWOW64\cstxhtb.exe"
        144⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        145⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        146⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\wrjskqq.exe
        
        C:\Windows\system32\wrjskqq.exe 1288 "C:\Windows\SysWOW64\mouhpnc.exe"
        145⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        146⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        147⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\jpmvtqo.exe
        
        C:\Windows\system32\jpmvtqo.exe 1132 "C:\Windows\SysWOW64\wrjskqq.exe"
        146⤵
        Identifies Wine through registry keys
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        147⤵
        
        PID:916
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        148⤵
        
        PID:660
        
        C:\Windows\SysWOW64\bwoayrp.exe
        
        C:\Windows\system32\bwoayrp.exe 1296 "C:\Windows\SysWOW64\jpmvtqo.exe"
        147⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        148⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        149⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\jinnnly.exe
        
        C:\Windows\system32\jinnnly.exe 1292 "C:\Windows\SysWOW64\bwoayrp.exe"
        148⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        149⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        150⤵
        
        PID:908
        
        C:\Windows\SysWOW64\vktvypk.exe
        
        C:\Windows\system32\vktvypk.exe 1304 "C:\Windows\SysWOW64\jinnnly.exe"
        149⤵
        Identifies Wine through registry keys
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        150⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        151⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\gfunokl.exe
        
        C:\Windows\system32\gfunokl.exe 1308 "C:\Windows\SysWOW64\vktvypk.exe"
        150⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        151⤵
        
        PID:660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        152⤵
        Runs .reg file with regedit
        
        PID:2724
        
        C:\Windows\SysWOW64\qbnxvel.exe
        
        C:\Windows\system32\qbnxvel.exe 1312 "C:\Windows\SysWOW64\gfunokl.exe"
        151⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        152⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        153⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\aazvgdt.exe
        
        C:\Windows\system32\aazvgdt.exe 1284 "C:\Windows\SysWOW64\qbnxvel.exe"
        152⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        153⤵
        
        PID:600
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        154⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\pxhvsdc.exe
        
        C:\Windows\system32\pxhvsdc.exe 1320 "C:\Windows\SysWOW64\aazvgdt.exe"
        153⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        154⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        155⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\xbjikof.exe
        
        C:\Windows\system32\xbjikof.exe 1200 "C:\Windows\SysWOW64\pxhvsdc.exe"
        154⤵
        Identifies Wine through registry keys
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        155⤵
        
        PID:900
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        156⤵
        
        PID:824
        
        C:\Windows\SysWOW64\kvpyvtj.exe
        
        C:\Windows\system32\kvpyvtj.exe 1328 "C:\Windows\SysWOW64\xbjikof.exe"
        155⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        156⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        157⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\wxvfgfn.exe
        
        C:\Windows\system32\wxvfgfn.exe 1332 "C:\Windows\SysWOW64\kvpyvtj.exe"
        156⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        157⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        158⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\eycfvmr.exe
        
        C:\Windows\system32\eycfvmr.exe 1324 "C:\Windows\SysWOW64\wxvfgfn.exe"
        157⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        158⤵
        
        PID:476
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        159⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\gevdluf.exe
        
        C:\Windows\system32\gevdluf.exe 1340 "C:\Windows\SysWOW64\eycfvmr.exe"
        158⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        159⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        160⤵
        Runs .reg file with regedit
        
        PID:2164
        
        C:\Windows\SysWOW64\qlhavsm.exe
        
        C:\Windows\system32\qlhavsm.exe 1344 "C:\Windows\SysWOW64\gevdluf.exe"
        159⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        160⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        161⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\gphvzgj.exe
        
        C:\Windows\system32\gphvzgj.exe 1348 "C:\Windows\SysWOW64\qlhavsm.exe"
        160⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        161⤵
        
        PID:852
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        162⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\svyyoou.exe
        
        C:\Windows\system32\svyyoou.exe 1352 "C:\Windows\SysWOW64\gphvzgj.exe"
        161⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        162⤵
        
        PID:340
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        163⤵
        
        PID:788
        
        C:\Windows\SysWOW64\culvgnc.exe
        
        C:\Windows\system32\culvgnc.exe 1336 "C:\Windows\SysWOW64\svyyoou.exe"
        162⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        163⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        164⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\psfypvz.exe
        
        C:\Windows\system32\psfypvz.exe 1356 "C:\Windows\SysWOW64\culvgnc.exe"
        163⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        164⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        165⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\aogiwqa.exe
        
        C:\Windows\system32\aogiwqa.exe 1360 "C:\Windows\SysWOW64\psfypvz.exe"
        164⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        165⤵
        
        PID:660
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        166⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\mimyium.exe
        
        C:\Windows\system32\mimyium.exe 1368 "C:\Windows\SysWOW64\aogiwqa.exe"
        165⤵
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        166⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        167⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\wscidxs.exe
        
        C:\Windows\system32\wscidxs.exe 1372 "C:\Windows\SysWOW64\mimyium.exe"
        166⤵
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        167⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\jjxlmgy.exe
        
        C:\Windows\system32\jjxlmgy.exe 1376 "C:\Windows\SysWOW64\wscidxs.exe"
        167⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        168⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        169⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\tijjweg.exe
        
        C:\Windows\system32\tijjweg.exe 1212 "C:\Windows\SysWOW64\jjxlmgy.exe"
        168⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        169⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        170⤵
        Runs .reg file with regedit
        
        PID:2400
        
        C:\Windows\SysWOW64\jfjjixh.exe
        
        C:\Windows\system32\jfjjixh.exe 1384 "C:\Windows\SysWOW64\tijjweg.exe"
        169⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        170⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        171⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\qjtwsir.exe
        
        C:\Windows\system32\qjtwsir.exe 1112 "C:\Windows\SysWOW64\jfjjixh.exe"
        170⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        172⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\gdqjbeu.exe
        
        C:\Windows\system32\gdqjbeu.exe 1388 "C:\Windows\SysWOW64\qjtwsir.exe"
        171⤵
        Identifies Wine through registry keys
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        172⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        173⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\nklbwtd.exe
        
        C:\Windows\system32\nklbwtd.exe 1172 "C:\Windows\SysWOW64\gdqjbeu.exe"
        172⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        173⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        174⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\daxjccz.exe
        
        C:\Windows\system32\daxjccz.exe 1400 "C:\Windows\SysWOW64\nklbwtd.exe"
        173⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        174⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        175⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cwjgzbq.exe
        
        C:\Windows\system32\cwjgzbq.exe 748 "C:\Windows\SysWOW64\daxjccz.exe"
        174⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        176⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\rqfbjps.exe
        
        C:\Windows\system32\rqfbjps.exe 1408 "C:\Windows\SysWOW64\cwjgzbq.exe"
        175⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        176⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        177⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\wczjczx.exe
        
        C:\Windows\system32\wczjczx.exe 700 "C:\Windows\SysWOW64\rqfbjps.exe"
        176⤵
        Identifies Wine through registry keys
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        177⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        178⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\mhzeget.exe
        
        C:\Windows\system32\mhzeget.exe 1416 "C:\Windows\SysWOW64\wczjczx.exe"
        177⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        178⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        179⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cawrise.exe
        
        C:\Windows\system32\cawrise.exe 1420 "C:\Windows\SysWOW64\mhzeget.exe"
        178⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        179⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        180⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\mzioard.exe
        
        C:\Windows\system32\mzioard.exe 1424 "C:\Windows\SysWOW64\cawrise.exe"
        179⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        180⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        181⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\vnjmqyq.exe
        
        C:\Windows\system32\vnjmqyq.exe 1412 "C:\Windows\SysWOW64\mzioard.exe"
        180⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        181⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        182⤵
        
        PID:288
        
        C:\Windows\SysWOW64\dslzijt.exe
        
        C:\Windows\system32\dslzijt.exe 704 "C:\Windows\SysWOW64\vnjmqyq.exe"
        181⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        182⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        183⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\tzezobx.exe
        
        C:\Windows\system32\tzezobx.exe 1404 "C:\Windows\SysWOW64\dslzijt.exe"
        182⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        183⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        184⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\fbkoafb.exe
        
        C:\Windows\system32\fbkoafb.exe 1440 "C:\Windows\SysWOW64\tzezobx.exe"
        183⤵
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        184⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        185⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\svqelsn.exe
        
        C:\Windows\system32\svqelsn.exe 1444 "C:\Windows\SysWOW64\fbkoafb.exe"
        184⤵
        Identifies Wine through registry keys
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        185⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        186⤵
        Runs .reg file with regedit
        
        PID:2424
        
        C:\Windows\SysWOW64\crjotmo.exe
        
        C:\Windows\system32\crjotmo.exe 1448 "C:\Windows\SysWOW64\svqelsn.exe"
        185⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        186⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        187⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\kkquqgw.exe
        
        C:\Windows\system32\kkquqgw.exe 1216 "C:\Windows\SysWOW64\crjotmo.exe"
        186⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        187⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        188⤵
        Runs .reg file with regedit
        
        PID:2852
        
        C:\Windows\SysWOW64\zenpzuz.exe
        
        C:\Windows\system32\zenpzuz.exe 1456 "C:\Windows\SysWOW64\kkquqgw.exe"
        187⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        188⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        189⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\efvjqzf.exe
        
        C:\Windows\system32\efvjqzf.exe 708 "C:\Windows\SysWOW64\zenpzuz.exe"
        188⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        189⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        190⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\rvqmyik.exe
        
        C:\Windows\system32\rvqmyik.exe 1380 "C:\Windows\SysWOW64\efvjqzf.exe"
        189⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        190⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        191⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\exwukmp.exe
        
        C:\Windows\system32\exwukmp.exe 1392 "C:\Windows\SysWOW64\rvqmyik.exe"
        190⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        191⤵
        
        PID:584
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        192⤵
        
        PID:616
        
        C:\Windows\SysWOW64\oilexpv.exe
        
        C:\Windows\system32\oilexpv.exe 1472 "C:\Windows\SysWOW64\exwukmp.exe"
        191⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        192⤵
        
        PID:588
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        193⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\ayohgxa.exe
        
        C:\Windows\system32\ayohgxa.exe 1256 "C:\Windows\SysWOW64\oilexpv.exe"
        192⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        193⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        194⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\npjkofg.exe
        
        C:\Windows\system32\npjkofg.exe 1476 "C:\Windows\SysWOW64\ayohgxa.exe"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        194⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\digfyti.exe
        
        C:\Windows\system32\digfyti.exe 1484 "C:\Windows\SysWOW64\npjkofg.exe"
        194⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        195⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        196⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\kqtxsjs.exe
        
        C:\Windows\system32\kqtxsjs.exe 1488 "C:\Windows\SysWOW64\digfyti.exe"
        195⤵
        Identifies Wine through registry keys
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        196⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        197⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\uxfuciz.exe
        
        C:\Windows\system32\uxfuciz.exe 724 "C:\Windows\SysWOW64\kqtxsjs.exe"
        196⤵
        
        PID:584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        197⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        198⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\kjcpmvc.exe
        
        C:\Windows\system32\kjcpmvc.exe 1496 "C:\Windows\SysWOW64\uxfuciz.exe"
        197⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        198⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        199⤵
        
        PID:332
        
        C:\Windows\SysWOW64\wlixyig.exe
        
        C:\Windows\system32\wlixyig.exe 1500 "C:\Windows\SysWOW64\kjcpmvc.exe"
        198⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        199⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        200⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\bxbfrsl.exe
        
        C:\Windows\system32\bxbfrsl.exe 1396 "C:\Windows\SysWOW64\wlixyig.exe"
        199⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        200⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        201⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\oowhzsq.exe
        
        C:\Windows\system32\oowhzsq.exe 1428 "C:\Windows\SysWOW64\bxbfrsl.exe"
        200⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        201⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        202⤵
        
        PID:444
        
        C:\Windows\SysWOW64\ynifkry.exe
        
        C:\Windows\system32\ynifkry.exe 1300 "C:\Windows\SysWOW64\oowhzsq.exe"
        201⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        202⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        203⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\lldhaze.exe
        
        C:\Windows\system32\lldhaze.exe 1316 "C:\Windows\SysWOW64\ynifkry.exe"
        202⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        203⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        204⤵
        Modifies security service
        
        PID:3204
        
        C:\Windows\SysWOW64\ycykjhb.exe
        
        C:\Windows\system32\ycykjhb.exe 1520 "C:\Windows\SysWOW64\lldhaze.exe"
        203⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        204⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        205⤵
        Modifies security service
        
        PID:1300
        
        C:\Windows\SysWOW64\lhpnxqm.exe
        
        C:\Windows\system32\lhpnxqm.exe 1524 "C:\Windows\SysWOW64\ycykjhb.exe"
        204⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        205⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        206⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\quhcdul.exe
        
        C:\Windows\system32\quhcdul.exe 1516 "C:\Windows\SysWOW64\lhpnxqm.exe"
        205⤵
        Identifies Wine through registry keys
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        206⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        207⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\aulanss.exe
        
        C:\Windows\system32\aulanss.exe 1532 "C:\Windows\SysWOW64\quhcdul.exe"
        206⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        207⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        208⤵
        
        PID:588
        
        C:\Windows\SysWOW64\mzcucbe.exe
        
        C:\Windows\system32\mzcucbe.exe 1536 "C:\Windows\SysWOW64\aulanss.exe"
        207⤵
        Identifies Wine through registry keys
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        208⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        209⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\zumkhfc.exe
        
        C:\Windows\system32\zumkhfc.exe 1540 "C:\Windows\SysWOW64\mzcucbe.exe"
        208⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        209⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        210⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\mosabrh.exe
        
        C:\Windows\system32\mosabrh.exe 1544 "C:\Windows\SysWOW64\zumkhfc.exe"
        209⤵
        Identifies Wine through registry keys
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        210⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        211⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\rexvpys.exe
        
        C:\Windows\system32\rexvpys.exe 1008 "C:\Windows\SysWOW64\mosabrh.exe"
        210⤵
        Identifies Wine through registry keys
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        211⤵
        
        PID:908
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        212⤵
        Runs .reg file with regedit
        
        PID:2368
        
        C:\Windows\SysWOW64\jmzauqu.exe
        
        C:\Windows\system32\jmzauqu.exe 1552 "C:\Windows\SysWOW64\rexvpys.exe"
        211⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        212⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        213⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\lknqsvh.exe
        
        C:\Windows\system32\lknqsvh.exe 1364 "C:\Windows\SysWOW64\jmzauqu.exe"
        212⤵
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        213⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\ekpdxob.exe
        
        C:\Windows\system32\ekpdxob.exe 1560 "C:\Windows\SysWOW64\lknqsvh.exe"
        213⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        214⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        215⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\lozighm.exe
        
        C:\Windows\system32\lozighm.exe 1480 "C:\Windows\SysWOW64\ekpdxob.exe"
        214⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        215⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        216⤵
        Modifies security service
        
        PID:3428
        
        C:\Windows\SysWOW64\ytrluqp.exe
        
        C:\Windows\system32\ytrluqp.exe 1568 "C:\Windows\SysWOW64\lozighm.exe"
        215⤵
        Identifies Wine through registry keys
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        216⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        217⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cgksoab.exe
        
        C:\Windows\system32\cgksoab.exe 1252 "C:\Windows\SysWOW64\ytrluqp.exe"
        216⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        217⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        218⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\paqazeg.exe
        
        C:\Windows\system32\paqazeg.exe 1556 "C:\Windows\SysWOW64\cgksoab.exe"
        217⤵
        Identifies Wine through registry keys
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        218⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        219⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\iisnexh.exe
        
        C:\Windows\system32\iisnexh.exe 1580 "C:\Windows\SysWOW64\paqazeg.exe"
        218⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        219⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        220⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\ugnqnff.exe
        
        C:\Windows\system32\ugnqnff.exe 1584 "C:\Windows\SysWOW64\iisnexh.exe"
        219⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        220⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        221⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\ejdsait.exe
        
        C:\Windows\system32\ejdsait.exe 1596 "C:\Windows\SysWOW64\ugnqnff.exe"
        220⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        221⤵
        
        PID:444
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        222⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\uzoahsp.exe
        
        C:\Windows\system32\uzoahsp.exe 1588 "C:\Windows\SysWOW64\ejdsait.exe"
        221⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        222⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        223⤵
        
        PID:772
        
        C:\Windows\SysWOW64\bgjbbpy.exe
        
        C:\Windows\system32\bgjbbpy.exe 1592 "C:\Windows\SysWOW64\uzoahsp.exe"
        222⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        223⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        224⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\ombvpyj.exe
        
        C:\Windows\system32\ombvpyj.exe 1600 "C:\Windows\SysWOW64\bgjbbpy.exe"
        223⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        224⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        225⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\ywqbuol.exe
        
        C:\Windows\system32\ywqbuol.exe 1604 "C:\Windows\SysWOW64\ombvpyj.exe"
        224⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        225⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        226⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\lywifbq.exe
        
        C:\Windows\system32\lywifbq.exe 1576 "C:\Windows\SysWOW64\ywqbuol.exe"
        225⤵
        Identifies Wine through registry keys
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        226⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        227⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\yorlwbv.exe
        
        C:\Windows\system32\yorlwbv.exe 1608 "C:\Windows\SysWOW64\lywifbq.exe"
        226⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        227⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        228⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\fenliyx.exe
        
        C:\Windows\system32\fenliyx.exe 1616 "C:\Windows\SysWOW64\yorlwbv.exe"
        227⤵
        Identifies Wine through registry keys
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        228⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        229⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\vbnluqg.exe
        
        C:\Windows\system32\vbnluqg.exe 1620 "C:\Windows\SysWOW64\fenliyx.exe"
        228⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        229⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        230⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\fazjfpo.exe
        
        C:\Windows\system32\fazjfpo.exe 1612 "C:\Windows\SysWOW64\vbnluqg.exe"
        229⤵
        Drops file in System32 directory
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        230⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        231⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\squlwxt.exe
        
        C:\Windows\system32\squlwxt.exe 1628 "C:\Windows\SysWOW64\fazjfpo.exe"
        230⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        231⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        232⤵
        
        PID:536
        
        C:\Windows\SysWOW64\fpooeyr.exe
        
        C:\Windows\system32\fpooeyr.exe 1632 "C:\Windows\SysWOW64\squlwxt.exe"
        231⤵
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        233⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\ggcdcce.exe
        
        C:\Windows\system32\ggcdcce.exe 696 "C:\Windows\SysWOW64\fpooeyr.exe"
        232⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        233⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        234⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cfvoxfe.exe
        
        C:\Windows\system32\cfvoxfe.exe 1640 "C:\Windows\SysWOW64\ggcdcce.exe"
        233⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        234⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        235⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\jyutuym.exe
        
        C:\Windows\system32\jyutuym.exe 1636 "C:\Windows\SysWOW64\cfvoxfe.exe"
        234⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        235⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        236⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\vsajglq.exe
        
        C:\Windows\system32\vsajglq.exe 1648 "C:\Windows\SysWOW64\jyutuym.exe"
        235⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        236⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\yyolvcz.exe
        
        C:\Windows\system32\yyolvcz.exe 1168 "C:\Windows\SysWOW64\vsajglq.exe"
        236⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        237⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        238⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\nvwthvb.exe
        
        C:\Windows\system32\nvwthvb.exe 1656 "C:\Windows\SysWOW64\yyolvcz.exe"
        237⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        238⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        239⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\xcbrsti.exe
        
        C:\Windows\system32\xcbrsti.exe 1660 "C:\Windows\SysWOW64\nvwthvb.exe"
        238⤵
        Identifies Wine through registry keys
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        239⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        240⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\kwhydym.exe
        
        C:\Windows\system32\kwhydym.exe 1664 "C:\Windows\SysWOW64\xcbrsti.exe"
        239⤵
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        240⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        241⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\xvjbmgs.exe
        
        C:\Windows\system32\xvjbmgs.exe 1668 "C:\Windows\SysWOW64\kwhydym.exe"
        240⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        241⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        242⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\kleeuoy.exe
        
        C:\Windows\system32\kleeuoy.exe 1672 "C:\Windows\SysWOW64\xvjbmgs.exe"
        241⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        242⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        243⤵
        Modifies security service
        
        PID:2800
        
        C:\Windows\SysWOW64\uhfwkjy.exe
        
        C:\Windows\system32\uhfwkjy.exe 1676 "C:\Windows\SysWOW64\kleeuoy.exe"
        242⤵
        Identifies Wine through registry keys
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        243⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        244⤵
        Runs .reg file with regedit
        
        PID:3540
        
        C:\Windows\SysWOW64\egjuuig.exe
        
        C:\Windows\system32\egjuuig.exe 1680 "C:\Windows\SysWOW64\uhfwkjy.exe"
        243⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        244⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        245⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\ripjgmk.exe
        
        C:\Windows\system32\ripjgmk.exe 1688 "C:\Windows\SysWOW64\egjuuig.exe"
        244⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        245⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        246⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\yqlbaju.exe
        
        C:\Windows\system32\yqlbaju.exe 1684 "C:\Windows\SysWOW64\ripjgmk.exe"
        245⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        246⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        247⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\iaamnna.exe
        
        C:\Windows\system32\iaamnna.exe 1692 "C:\Windows\SysWOW64\yqlbaju.exe"
        246⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        247⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        248⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\yfahrsx.exe
        
        C:\Windows\system32\yfahrsx.exe 1696 "C:\Windows\SysWOW64\iaamnna.exe"
        247⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        248⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        249⤵
        Modifies security service
        
        PID:3068
        
        C:\Windows\SysWOW64\iemecre.exe
        
        C:\Windows\system32\iemecre.exe 1652 "C:\Windows\SysWOW64\yfahrsx.exe"
        248⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        249⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        250⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\vgtundj.exe
        
        C:\Windows\system32\vgtundj.exe 1704 "C:\Windows\SysWOW64\iemecre.exe"
        249⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        250⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        251⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\iwnxedo.exe
        
        C:\Windows\system32\iwnxedo.exe 1708 "C:\Windows\SysWOW64\vgtundj.exe"
        250⤵
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        251⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        252⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\kkomulb.exe
        
        C:\Windows\system32\kkomulb.exe 1700 "C:\Windows\SysWOW64\iwnxedo.exe"
        251⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        252⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        253⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\ugpebfc.exe
        
        C:\Windows\system32\ugpebfc.exe 1528 "C:\Windows\SysWOW64\kkomulb.exe"
        252⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        253⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\hivmnsg.exe
        
        C:\Windows\system32\hivmnsg.exe 1716 "C:\Windows\SysWOW64\ugpebfc.exe"
        253⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        254⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        255⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\rhzkfqo.exe
        
        C:\Windows\system32\rhzkfqo.exe 1724 "C:\Windows\SysWOW64\hivmnsg.exe"
        254⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        255⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        256⤵
        Runs .reg file with regedit
        
        PID:2212
        
        C:\Windows\SysWOW64\gawepeq.exe
        
        C:\Windows\system32\gawepeq.exe 1720 "C:\Windows\SysWOW64\rhzkfqo.exe"
        255⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        256⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        257⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\rwxpwzz.exe
        
        C:\Windows\system32\rwxpwzz.exe 1728 "C:\Windows\SysWOW64\gawepeq.exe"
        256⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        257⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        258⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\emrsfhx.exe
        
        C:\Windows\system32\emrsfhx.exe 1736 "C:\Windows\SysWOW64\rwxpwzz.exe"
        257⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        258⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        259⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\idwmbni.exe
        
        C:\Windows\system32\idwmbni.exe 1432 "C:\Windows\SysWOW64\emrsfhx.exe"
        258⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        259⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        260⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\ywtzlbl.exe
        
        C:\Windows\system32\ywtzlbl.exe 1744 "C:\Windows\SysWOW64\idwmbni.exe"
        259⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        260⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        261⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\knoctjq.exe
        
        C:\Windows\system32\knoctjq.exe 1748 "C:\Windows\SysWOW64\ywtzlbl.exe"
        260⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        261⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        262⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\vuszeiy.exe
        
        C:\Windows\system32\vuszeiy.exe 1752 "C:\Windows\SysWOW64\knoctjq.exe"
        261⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        262⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        263⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\hoyppuc.exe
        
        C:\Windows\system32\hoyppuc.exe 1740 "C:\Windows\SysWOW64\vuszeiy.exe"
        262⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        263⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        264⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\xerxweg.exe
        
        C:\Windows\system32\xerxweg.exe 1760 "C:\Windows\SysWOW64\hoyppuc.exe"
        263⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        264⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        265⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cuokssr.exe
        
        C:\Windows\system32\cuokssr.exe 1512 "C:\Windows\SysWOW64\xerxweg.exe"
        264⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        265⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        266⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\rnlfcgt.exe
        
        C:\Windows\system32\rnlfcgt.exe 1768 "C:\Windows\SysWOW64\cuokssr.exe"
        265⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        266⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        267⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\bmxcmeb.exe
        
        C:\Windows\system32\bmxcmeb.exe 1764 "C:\Windows\SysWOW64\rnlfcgt.exe"
        266⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        267⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        268⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\llbaeda.exe
        
        C:\Windows\system32\llbaeda.exe 1776 "C:\Windows\SysWOW64\bmxcmeb.exe"
        267⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        268⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        269⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\bbnidne.exe
        
        C:\Windows\system32\bbnidne.exe 1772 "C:\Windows\SysWOW64\llbaeda.exe"
        268⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        269⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        270⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\qnjvnjg.exe
        
        C:\Windows\system32\qnjvnjg.exe 1784 "C:\Windows\SysWOW64\bbnidne.exe"
        269⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        270⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        271⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\tfjsffo.exe
        
        C:\Windows\system32\tfjsffo.exe 1452 "C:\Windows\SysWOW64\qnjvnjg.exe"
        270⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        271⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        272⤵
        Modifies security service
        
        PID:340
        
        C:\Windows\SysWOW64\iqgfptr.exe
        
        C:\Windows\system32\iqgfptr.exe 1792 "C:\Windows\SysWOW64\tfjsffo.exe"
        271⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        272⤵
        
        PID:616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        273⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\vsmvaxd.exe
        
        C:\Windows\system32\vsmvaxd.exe 1796 "C:\Windows\SysWOW64\iqgfptr.exe"
        272⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        273⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        274⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\hxvqwog.exe
        
        C:\Windows\system32\hxvqwog.exe 1800 "C:\Windows\SysWOW64\vsmvaxd.exe"
        273⤵
        Identifies Wine through registry keys
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        274⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        275⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\uoysfwm.exe
        
        C:\Windows\system32\uoysfwm.exe 1804 "C:\Windows\SysWOW64\hxvqwog.exe"
        274⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        275⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        276⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\hqeiqaq.exe
        
        C:\Windows\system32\hqeiqaq.exe 1788 "C:\Windows\SysWOW64\uoysfwm.exe"
        275⤵
        
        PID:616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        276⤵
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        277⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\udoywex.exe
        
        C:\Windows\system32\udoywex.exe 1812 "C:\Windows\SysWOW64\hqeiqaq.exe"
        276⤵
        Identifies Wine through registry keys
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        277⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        278⤵
        Runs .reg file with regedit
        
        PID:3520
        
        C:\Windows\SysWOW64\hfunhrb.exe
        
        C:\Windows\system32\hfunhrb.exe 1808 "C:\Windows\SysWOW64\udoywex.exe"
        277⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        278⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        279⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\riryvmh.exe
        
        C:\Windows\system32\riryvmh.exe 1820 "C:\Windows\SysWOW64\hfunhrb.exe"
        278⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        279⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        280⤵
        Runs .reg file with regedit
        
        PID:1716
        
        C:\Windows\SysWOW64\edanbqg.exe
        
        C:\Windows\system32\edanbqg.exe 1824 "C:\Windows\SysWOW64\riryvmh.exe"
        279⤵
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        280⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        281⤵
        Modifies security service
        
        PID:2388
        
        C:\Windows\SysWOW64\rtdqrym.exe
        
        C:\Windows\system32\rtdqrym.exe 1828 "C:\Windows\SysWOW64\edanbqg.exe"
        280⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        281⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        282⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\ahwfhfz.exe
        
        C:\Windows\system32\ahwfhfz.exe 1832 "C:\Windows\SysWOW64\rtdqrym.exe"
        281⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        282⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        283⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\nyziqge.exe
        
        C:\Windows\system32\nyziqge.exe 1836 "C:\Windows\SysWOW64\ahwfhfz.exe"
        282⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        283⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        284⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\awulyoc.exe
        
        C:\Windows\system32\awulyoc.exe 1840 "C:\Windows\SysWOW64\nyziqge.exe"
        283⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        284⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        285⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\nnoohwh.exe
        
        C:\Windows\system32\nnoohwh.exe 1844 "C:\Windows\SysWOW64\awulyoc.exe"
        284⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        285⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        286⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\apudsam.exe
        
        C:\Windows\system32\apudsam.exe 1848 "C:\Windows\SysWOW64\nnoohwh.exe"
        285⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        286⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        287⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\krsooda.exe
        
        C:\Windows\system32\krsooda.exe 1860 "C:\Windows\SysWOW64\apudsam.exe"
        286⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        287⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        288⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\aesjsrx.exe
        
        C:\Windows\system32\aesjsrx.exe 1856 "C:\Windows\SysWOW64\krsooda.exe"
        287⤵
        Drops file in System32 directory
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        288⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        289⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\jghtfmd.exe
        
        C:\Windows\system32\jghtfmd.exe 1816 "C:\Windows\SysWOW64\aesjsrx.exe"
        288⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        289⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        290⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\wxkonuj.exe
        
        C:\Windows\system32\wxkonuj.exe 1864 "C:\Windows\SysWOW64\jghtfmd.exe"
        289⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        290⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        291⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\dqjbkor.exe
        
        C:\Windows\system32\dqjbkor.exe 1868 "C:\Windows\SysWOW64\wxkonuj.exe"
        290⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        291⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        292⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\lutguhu.exe
        
        C:\Windows\system32\lutguhu.exe 1872 "C:\Windows\SysWOW64\dqjbkor.exe"
        291⤵
        Identifies Wine through registry keys
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        292⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        293⤵
        Modifies security service
        
        PID:3796
        
        C:\Windows\SysWOW64\bcfobqx.exe
        
        C:\Windows\system32\bcfobqx.exe 1876 "C:\Windows\SysWOW64\lutguhu.exe"
        292⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        293⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        294⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\nelemdc.exe
        
        C:\Windows\system32\nelemdc.exe 1880 "C:\Windows\SysWOW64\bcfobqx.exe"
        293⤵
        Identifies Wine through registry keys
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        294⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        295⤵
        
        PID:908
        
        C:\Windows\SysWOW64\vmywgsl.exe
        
        C:\Windows\system32\vmywgsl.exe 1572 "C:\Windows\SysWOW64\nelemdc.exe"
        294⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        295⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        296⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\kusencp.exe
        
        C:\Windows\system32\kusencp.exe 1888 "C:\Windows\SysWOW64\vmywgsl.exe"
        295⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        296⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        297⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\xzbybts.exe
        
        C:\Windows\system32\xzbybts.exe 1892 "C:\Windows\SysWOW64\kusencp.exe"
        296⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        297⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        298⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\npugicw.exe
        
        C:\Windows\system32\npugicw.exe 1896 "C:\Windows\SysWOW64\xzbybts.exe"
        297⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        298⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        299⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\xozetbd.exe
        
        C:\Windows\system32\xozetbd.exe 1900 "C:\Windows\SysWOW64\npugicw.exe"
        298⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        299⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        300⤵
        Runs .reg file with regedit
        
        PID:948
        
        C:\Windows\SysWOW64\jqftenh.exe
        
        C:\Windows\system32\jqftenh.exe 1904 "C:\Windows\SysWOW64\xozetbd.exe"
        299⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        300⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        301⤵
        Runs .reg file with regedit
        
        PID:2456
        
        C:\Windows\SysWOW64\pdwjkjg.exe
        
        C:\Windows\system32\pdwjkjg.exe 1908 "C:\Windows\SysWOW64\jqftenh.exe"
        300⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        301⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        302⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\yrxyirt.exe
        
        C:\Windows\system32\yrxyirt.exe 1912 "C:\Windows\SysWOW64\pdwjkjg.exe"
        301⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        302⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        303⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\lisbqzz.exe
        
        C:\Windows\system32\lisbqzz.exe 1916 "C:\Windows\SysWOW64\yrxyirt.exe"
        302⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        303⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        304⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\yvjzwdy.exe
        
        C:\Windows\system32\yvjzwdy.exe 1920 "C:\Windows\SysWOW64\lisbqzz.exe"
        303⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        304⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        305⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\ijkomcl.exe
        
        C:\Windows\system32\ijkomcl.exe 1924 "C:\Windows\SysWOW64\yvjzwdy.exe"
        304⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        305⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        306⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\ynkjqph.exe
        
        C:\Windows\system32\ynkjqph.exe 1928 "C:\Windows\SysWOW64\ijkomcl.exe"
        305⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        306⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        307⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\iyzudso.exe
        
        C:\Windows\system32\iyzudso.exe 1932 "C:\Windows\SysWOW64\ynkjqph.exe"
        306⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        307⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        308⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\uafjxxa.exe
        
        C:\Windows\system32\uafjxxa.exe 1936 "C:\Windows\SysWOW64\iyzudso.exe"
        307⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        308⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        309⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\inxzdbz.exe
        
        C:\Windows\system32\inxzdbz.exe 1940 "C:\Windows\SysWOW64\uafjxxa.exe"
        308⤵
        Identifies Wine through registry keys
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        309⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        310⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\rtywtim.exe
        
        C:\Windows\system32\rtywtim.exe 1944 "C:\Windows\SysWOW64\inxzdbz.exe"
        309⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        310⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        311⤵
        Runs .reg file with regedit
        
        PID:2520
        
        C:\Windows\SysWOW64\erszbqk.exe
        
        C:\Windows\system32\erszbqk.exe 1948 "C:\Windows\SysWOW64\rtywtim.exe"
        310⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        311⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        312⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\rinukrp.exe
        
        C:\Windows\system32\rinukrp.exe 1952 "C:\Windows\SysWOW64\erszbqk.exe"
        311⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        312⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        313⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\bslefuv.exe
        
        C:\Windows\system32\bslefuv.exe 1956 "C:\Windows\SysWOW64\rinukrp.exe"
        312⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        313⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        314⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\rxlzbhs.exe
        
        C:\Windows\system32\rxlzbhs.exe 1960 "C:\Windows\SysWOW64\bslefuv.exe"
        313⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        314⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        315⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\bhajwkh.exe
        
        C:\Windows\system32\bhajwkh.exe 1964 "C:\Windows\SysWOW64\rxlzbhs.exe"
        314⤵
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        315⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        316⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\oydmfke.exe
        
        C:\Windows\system32\oydmfke.exe 1968 "C:\Windows\SysWOW64\bhajwkh.exe"
        315⤵
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        316⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        317⤵
        Modifies security service
        
        PID:1044
        
        C:\Windows\SysWOW64\boyposk.exe
        
        C:\Windows\system32\boyposk.exe 1972 "C:\Windows\SysWOW64\oydmfke.exe"
        316⤵
        Identifies Wine through registry keys
        
        PID:3760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        317⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        318⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\kznzbvq.exe
        
        C:\Windows\system32\kznzbvq.exe 1976 "C:\Windows\SysWOW64\boyposk.exe"
        317⤵
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        318⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        319⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\apzhifu.exe
        
        C:\Windows\system32\apzhifu.exe 1980 "C:\Windows\SysWOW64\kznzbvq.exe"
        318⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        319⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        320⤵
        Runs .reg file with regedit
        
        PID:2052
        
        C:\Windows\SysWOW64\krosdia.exe
        
        C:\Windows\system32\krosdia.exe 1884 "C:\Windows\SysWOW64\apzhifu.exe"
        319⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        320⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        321⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\xtuzovm.exe
        
        C:\Windows\system32\xtuzovm.exe 1988 "C:\Windows\SysWOW64\krosdia.exe"
        320⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        321⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        322⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\kkxcxvk.exe
        
        C:\Windows\system32\kkxcxvk.exe 1992 "C:\Windows\SysWOW64\xtuzovm.exe"
        321⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        322⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        323⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\uvmmkyy.exe
        
        C:\Windows\system32\uvmmkyy.exe 1996 "C:\Windows\SysWOW64\kkxcxvk.exe"
        322⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        323⤵
        
        PID:788
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        324⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\glhptgw.exe
        
        C:\Windows\system32\glhptgw.exe 2000 "C:\Windows\SysWOW64\uvmmkyy.exe"
        323⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        324⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        325⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\tcksbgb.exe
        
        C:\Windows\system32\tcksbgb.exe 2004 "C:\Windows\SysWOW64\glhptgw.exe"
        324⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        325⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        326⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\gafusoh.exe
        
        C:\Windows\system32\gafusoh.exe 2008 "C:\Windows\SysWOW64\tcksbgb.exe"
        325⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        326⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        327⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\traxawm.exe
        
        C:\Windows\system32\traxawm.exe 1852 "C:\Windows\SysWOW64\gafusoh.exe"
        326⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        327⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        328⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\dfamqer.exe
        
        C:\Windows\system32\dfamqer.exe 2012 "C:\Windows\SysWOW64\traxawm.exe"
        327⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        328⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        329⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\qvvpzex.exe
        
        C:\Windows\system32\qvvpzex.exe 2020 "C:\Windows\SysWOW64\dfamqer.exe"
        328⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        329⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        330⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cxbflrb.exe
        
        C:\Windows\system32\cxbflrb.exe 2024 "C:\Windows\SysWOW64\qvvpzex.exe"
        329⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        330⤵
        
        PID:860
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        331⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\qktvqui.exe
        
        C:\Windows\system32\qktvqui.exe 2016 "C:\Windows\SysWOW64\cxbflrb.exe"
        330⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        331⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        332⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cjnxhvg.exe
        
        C:\Windows\system32\cjnxhvg.exe 2032 "C:\Windows\SysWOW64\qktvqui.exe"
        331⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        332⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        333⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\mpovxct.exe
        
        C:\Windows\system32\mpovxct.exe 2036 "C:\Windows\SysWOW64\cjnxhvg.exe"
        332⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        333⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        334⤵
        Runs .reg file with regedit
        
        PID:2628
        
        C:\Windows\SysWOW64\cbwqbpq.exe
        
        C:\Windows\system32\cbwqbpq.exe 2040 "C:\Windows\SysWOW64\mpovxct.exe"
        333⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        334⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        335⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\memaokw.exe
        
        C:\Windows\system32\memaokw.exe 2044 "C:\Windows\SysWOW64\cbwqbpq.exe"
        334⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        335⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        336⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\zgsiaxi.exe
        
        C:\Windows\system32\zgsiaxi.exe 2052 "C:\Windows\SysWOW64\memaokw.exe"
        335⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        336⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        337⤵
        Runs .reg file with regedit
        
        PID:596
        
        C:\Windows\SysWOW64\mtjffbh.exe
        
        C:\Windows\system32\mtjffbh.exe 2056 "C:\Windows\SysWOW64\zgsiaxi.exe"
        336⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        337⤵
        
        PID:532
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        338⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\vhcvdiu.exe
        
        C:\Windows\system32\vhcvdiu.exe 2060 "C:\Windows\SysWOW64\mtjffbh.exe"
        337⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        338⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        339⤵
        Runs .reg file with regedit
        
        PID:3360
        
        C:\Windows\SysWOW64\ixfxmis.exe
        
        C:\Windows\system32\ixfxmis.exe 2064 "C:\Windows\SysWOW64\vhcvdiu.exe"
        338⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        339⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        340⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\vwaavqx.exe
        
        C:\Windows\system32\vwaavqx.exe 2068 "C:\Windows\SysWOW64\ixfxmis.exe"
        339⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        340⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        341⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\iqgqgdb.exe
        
        C:\Windows\system32\iqgqgdb.exe 2028 "C:\Windows\SysWOW64\vwaavqx.exe"
        340⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        341⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        342⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\vdxgmzi.exe
        
        C:\Windows\system32\vdxgmzi.exe 2076 "C:\Windows\SysWOW64\iqgqgdb.exe"
        341⤵
        Identifies Wine through registry keys
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        342⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        343⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\frydkgn.exe
        
        C:\Windows\system32\frydkgn.exe 2080 "C:\Windows\SysWOW64\vdxgmzi.exe"
        342⤵
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        343⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        344⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\vvyqgts.exe
        
        C:\Windows\system32\vvyqgts.exe 2084 "C:\Windows\SysWOW64\frydkgn.exe"
        343⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        344⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        345⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\fgnabpy.exe
        
        C:\Windows\system32\fgnabpy.exe 2088 "C:\Windows\SysWOW64\vvyqgts.exe"
        344⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        345⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        346⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\rwqdkxe.exe
        
        C:\Windows\system32\rwqdkxe.exe 2072 "C:\Windows\SysWOW64\fgnabpy.exe"
        345⤵
        Identifies Wine through registry keys
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\a.bat
        346⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        347⤵
        
        PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
478B

MD5
1a00c84e2e8a76c3caa6c0b89f9f0d6d

SHA1
2650e962d49c5800edb569ee1b989edc8868d9b9

SHA256
f477217e9368c8114de7621c41a01818957dae31140ffd7df2b39705c72543e6

SHA512
a5f2f271184ff3bad04dd2135e7d32ca32c2ad24400832ec8a143dcbc20449ede4e06b48479ba93609cb1caf0b41a9143698eafb07b032ebdd609e399d62288c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
5da7efcc8d0fcdf2bad7890c3f8a27ca

SHA1
681788d5a3044eee8426d431bd786375cd32bf13

SHA256
7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8

SHA512
6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
431B

MD5
9fa547ff360b09f7e093593af0b5a13b

SHA1
9debc99bb7450f59a7b09f16c0393e5c7a955ba4

SHA256
7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705

SHA512
30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
476B

MD5
a5d4cddfecf34e5391a7a3df62312327

SHA1
04a3c708bab0c15b6746cf9dbf41a71c917a98b9

SHA256
8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a

SHA512
48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
574B

MD5
5020988c301a6bf0c54a293ddf64837c

SHA1
5b65e689a2988b9a739d53565b2a847f20d70f09

SHA256
a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d

SHA512
921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
110B

MD5
b6b8b04c60361e2df1d3e29fc4fc3138

SHA1
bd732238f8d5894ca6020081adef617dabadf94e

SHA256
f255a5447d3a3eda8715938993357971faeabf92eecf172e2fc0dfbdaa239c1b

SHA512
16e7247fdc0c1191229ea44b4f6584dce588255e775642c343cffb2030c05bd77f4eb716d87d21defb0fe7edcc62a7a2e12ecbebbd72bc9a5247934fdd02fe40

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
925B

MD5
0d1e5715cf04d212bcd7c9dea5f7ab72

SHA1
a8add44bf542e4d22260a13de6a35704fb7f3bfb

SHA256
5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473

SHA512
89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
449B

MD5
c6b0028a6f5508ef564d624eda0e72bc

SHA1
18901c9856a9af672c2e27383c15d2da41f27b6b

SHA256
b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06

SHA512
5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
748bce4dacebbbd388af154a1df22078

SHA1
0eeeb108678f819cd437d53b927feedf36aabc64

SHA256
1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a

SHA512
d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
614dc91c25423b19711b270e1e5a49ad

SHA1
f66496dcf9047ae934bdc4a65f697be55980b169

SHA256
cd2b70a70c7da79d5136e4268d6c685e81d925b9387b9ed9e1b3189118e2de5e

SHA512
27a8649bb02ab6a67a1f2482662a6c690aefca551eec3575ea9aeee645d318b23d0dc6d5d2db239583ddb5f04ba13d94e5180a184566416291b7180fab0029e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
f1cbbc2ce0d93c45a92edcc86780e9f0

SHA1
d893306caae2584cdeba4c80c3bfe18548fa227a

SHA256
6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7

SHA512
b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c1e5f93e2bee9ca33872764d8889de23

SHA1
167f65adfc34a0e47cb7de92cc5958ee8905796a

SHA256
8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

SHA512
482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
501effddf60a974e98b67dc8921aa7e8

SHA1
734dfe4b508dbc1527ec92e91821a1251aec5b2e

SHA256
672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06

SHA512
28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
117efa689c5631c1a1ee316f123182bd

SHA1
f477bf1e9f4db8452bd9fe314cd18715f7045689

SHA256
79ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7

SHA512
abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
1daa413d1a8cd1692f2e4ae22b54c74a

SHA1
2e02e2a23cfaa62f301e29a117e291ff93cc5d31

SHA256
10732e2612780d9694faf0bb9b27cdc6f3376ad327da7dfc346e9e5579493d33

SHA512
b947c70c7c4af971e3fbdc66fb7175b6624ac68c6a723dac7ecb5cf5f43bbe210fa0fa61fd4b6153dccf7de077d003ca03f061e209dc37773546b038e6aef277

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
895301bce84d6fe707b5cfd50f1f9f97

SHA1
50a012f59655621768f624c4571654145663c042

SHA256
b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

SHA512
a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
8a84d46ef81c793a90a80bc806cffdcf

SHA1
02fac9db9330040ffc613a325686ddca2678a7c5

SHA256
201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4

SHA512
b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f82bc8865c1f6bf7125563479421f95c

SHA1
65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d

SHA256
f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6

SHA512
00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
8c6aa92ac8ffdfb7a0fb3dafd14d65f1

SHA1
cac3992d696a99a5dec2ab1c824c816117414b16

SHA256
dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa

SHA512
f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d5e129352c8dd0032b51f34a2bbecad3

SHA1
a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a

SHA256
ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267

SHA512
9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
7fe70731de9e888ca911baeb99ee503d

SHA1
0073da5273512f66dbf570580dc55957535c2478

SHA256
ec8ce13a4cab475695329eddc61ff2eee378e79f0d2f9ca3a9bc7b18bd52b89a

SHA512
4421df7085fd2aac218d5544152d77080b99c1eaa24076975a6b1bb01149a19a1c0d6cc2c042cd507b37af9a220e7ce1f026103cdabfaec5994b1533c2f3eeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
752fd85212d47da8f0adc29004a573b2

SHA1
fa8fe3ff766601db46412879dc13dbec8d055965

SHA256
9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e

SHA512
d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
703B

MD5
e2564fc59a86ea85b7485ab7288c68c4

SHA1
bc1544d9a03d1adafe399067ac32bf8d1cedbdb0

SHA256
68e8d8ef14bfbe96ebad3fb391fd4c1e57068a7f950dd31840884f6d58b078a8

SHA512
e09c6741d99ec41763e939aa39adb4e0f8508d37556c52251eec268849e85960da42ace7e9b82f1927de5bcf29ebec205189b113d2bb123025f3e6615b28ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
851B

MD5
a13ff758fc4326eaa44582bc9700aead

SHA1
a4927b4a3b84526c5c42a077ade4652ab308f83f

SHA256
c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588

SHA512
86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
b99b0dc7cab4e69d365783a5c4273a83

SHA1
5fcc44aa2631c923e9961266a2e0dbeaaabe84da

SHA256
1fc967a5c8f7859ba0c410978d165085f241195fe4a31d61a127e38c30d435e4

SHA512
495474416f5eccd40829d42f050464903273d564cb862b1bd0657262485e634b5d466363cac085406c6d830f42a2f7b5648818b2efe6db1a90833a4b90a6a14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
3637baf389a0d79b412adb2a7f1b7d09

SHA1
f4b011a72f59cf98a325f12b7e40ddd0548ccc16

SHA256
835336f5d468ac1d8361f9afbc8e69ff1538c51b0b619d641b4b41dcfaa39cba

SHA512
ea71a49c3673e9ce4f92d0f38441b3bc5b3b9ef6649caa21972648e34b6cec8694fa8fb7fc0ddad1e58f0464e0ba917c4500090a3db3fc07e1d258079c1c2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
82fb85e6f9058c36d57abc2350ffee7e

SHA1
f52708d066380d42924513f697ab4ed5492f78b8

SHA256
0696a5c075674c13128a61fd02c3be39c68860dc24f3669415817d03c75415c6

SHA512
27c84e21ed39cc0ff6377d717b99ee444867eba7a74b878b30c8a7ec7df97003f02963399020abe09a73f4b6949c75580eb85067412f4ccdacc03e8caf5d966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5f6aefafda312b288b7d555c1fc36dc9

SHA1
f25e2fdea9dd714d0fae68af71cace7bb49302ce

SHA256
60f6d3cbf831857bf18e46a43ff403a03e2035d9430a72d768ea9cec1947917a

SHA512
97f0250ba79b008d7632a2f32a7b851d9ca87f116b2854d5343c120511cfd55551a1f3eb3e0959602656b39b3f86003a0f9d04243ceb8b73d28eb9bb9449a6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
3bd23392c6fcc866c4561388c1dc72ac

SHA1
c4b1462473f1d97fed434014532ea344b8fc05c1

SHA256
696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43

SHA512
15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
bf7ee07851e04b2a0dbe554db62dc3aa

SHA1
cad155b66053cd7ce2b969a0eb20a8f4812b1f46

SHA256
13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9

SHA512
9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
2299014e9ce921b7045e958d39d83e74

SHA1
26ed64f84417eb05d1d9d48441342ca1363084da

SHA256
ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57

SHA512
0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
c2d6056624c1d37b1baf4445d8705378

SHA1
90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83

SHA256
3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96

SHA512
d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
54ca6e3ef1c12b994043e85a8c9895f0

SHA1
5eaccfb482cbe24cf5c3203ffdc926184097427e

SHA256
0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0

SHA512
925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d8be0d42e512d922804552250f01eb90

SHA1
cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3

SHA256
901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82

SHA512
f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6dd7ad95427e77ae09861afd77104775

SHA1
81c2ffe8c63e71f013a07e5794473b60f50c0716

SHA256
8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2

SHA512
171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
fa83299c5a0d8714939977af6bdafa92

SHA1
46a4abab9b803a7361ab89d0ca000a367550e23c

SHA256
f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03

SHA512
85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b79d7c7385eb2936ecd5681762227a9b

SHA1
c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

SHA256
fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

SHA512
7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
63ff40a70037650fd0acfd68314ffc94

SHA1
1ab29adec6714edf286485ac5889fddb1d092e93

SHA256
1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b

SHA512
2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b9dc88ed785d13aaeae9626d7a26a6a0

SHA1
ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e

SHA256
9f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc

SHA512
df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
0a839c0e3eb1ed25e6211159e43f4df1

SHA1
a227a9322f58b8f40b2f6f326dca58145f599587

SHA256
717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0

SHA512
bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
f5fa5178657d29a36c5dc4ac9445cbdc

SHA1
4be1a87a89715d24d52b23c59006f9cb74437ba0

SHA256
f5df5a0913b98b4c5ef35c76ba8c7601adb2698300bef0a47f23845a95942114

SHA512
54272b6eaead06588ac6605a5d995c928f2270c2bccb18891f83dc5cae98eb2c88a98b49bd553f6305659cbf51c36842840dd98fa0b44a3b693de8c7af1f6b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
c8441ec8a2edf9b2f4f631fe930ea4d9

SHA1
2855ee21116b427d280fcaa2471c9bd3d2957f6f

SHA256
dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184

SHA512
b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
831afd728dd974045c0654510071d405

SHA1
9484f4ee8e9eef0956553a59cfbcbe99a8822026

SHA256
03223eaae4ac389215cb8a9cb4e4d5a70b67f791f90e57b8efd3f975f5cf6af2

SHA512
ab7ac4d6d45b8aac5f82432468d40bd2b5bfae6d93006732ce27a6513fd3e7ddc94c029051092bf8b6f5649688c0f6600dbd88968732fc7b779e916e6bcda5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
e78a2688839aaee80b2bfdc4639329c5

SHA1
818a0dd05493b075a9f2eaf063e64d5a653f470a

SHA256
bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d

SHA512
2821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
0bccb0cc2d0641cd0ac7ce17afe64b9f

SHA1
103f5bc2b153913e8a614a7abb43941fe90862a4

SHA256
cae50ec401dae988f1221cead7de58cf4301040fd9fbb8d1c4ad032034ee1842

SHA512
cce4edc7c607ca3969fb19f93a836d87170e2c50fcf136acb3bcb5500b99b1ae73a999b7d648a3643f58cf960b071b24215e1c59f874ca38a50cf1ef90b06389

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
206B

MD5
2d9f1ff716273d19e3f0d10a3cd8736f

SHA1
b4ca02834dd3f3489c5088d2157279d2be90f5ff

SHA256
9acf0b6f653d189bcf02fa9941a2a1a6b6f60c6fa1f62ad38f314014ec188623

SHA512
1d08e079d12a58115ced67c002d383a4ff5aca81fde9ac81bb14d8c5dcdfe07839c7b895130b746d4691cd38dc74fbfc0bdc8605b520ac85bc137fd5fa922025

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
274B

MD5
eee5718ce97d259fd8acec31375fc375

SHA1
989c64b0c9a049f1b7ad9e677c4566ab1559744f

SHA256
1975123645c58e5160d63cc6ab8430f9dd0bc70d5cddafccf3687d655730dcfb

SHA512
6c2e14846b20128ac8bea8470b4455fd4b65de7457c216824cfa7008fafa41c29445290de6780dc4f6f3beea97ec3137c02c9b7504877d6c845e573a7b7db610

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
576B

MD5
8a0897226da780b90c11da0756b361f1

SHA1
67f813e8733ad75a2147c59cca102a60274daeab

SHA256
115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee

SHA512
55e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
978B

MD5
2e2266221550edce9a27c9060d5c2361

SHA1
f39f2d8f02f8b3a877d5969a81c4cb12679609f3

SHA256
e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb

SHA512
e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1024B

MD5
159bb1d34a927f58fc851798c7c09b58

SHA1
c3a26565004531f3a93e29eabb0f9a196b4c1ba2

SHA256
53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd

SHA512
b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
a437192517c26d96c8cee8d5a27dd560

SHA1
f665a3e5e5c141e4527509dffd30b0320aa8df6f

SHA256
d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23

SHA512
f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
47985593a44ee38c64665b04cbd4b84c

SHA1
84900c2b2e116a7b744730733f63f2a38b4eb76e

SHA256
4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70

SHA512
abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
584f47a0068747b3295751a0d591f4ee

SHA1
7886a90e507c56d3a6105ecdfd9ff77939afa56f

SHA256
927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5

SHA512
ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
10B

MD5
c756b8eac93de58d57105a6c35adb50f

SHA1
b18d370dabc3c5b9e82d74f19bbc101a1be009f2

SHA256
853448e59c9bb7599fa8a5ff03a0b608781a02d41f58576f1192e0c48cb8d635

SHA512
09fbfe4a17b1fb6167c6889e5a0ab41cfef9e1372796e69c2558a50a002d9c1e2b0d81d45d7f96be9d02a8025d0ae276ecc01f135e9ccb04c301adcffd67d263

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
86B

MD5
81f2f44f6ecac84e6336cf272aff53bf

SHA1
24d388235609e7560066b834be91c5407b202b1f

SHA256
b6c9d291084087663b29aa58c8a14f13ec1cb80a499c6ae60cc71002b6376636

SHA512
44efc9c05c4cdeb189308e894734cef5c83b8be80850441989e45c29671facecb7be9504291a6947443da227b35555ecd933136e2e819c20c2ddeafcf01b87ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
182B

MD5
09e45f09a25fed7995c8430f4a370ade

SHA1
fc49fec86e600a7c4e1b6bfa274f883635d65687

SHA256
f827e79f717d490ba61a9ec5f8198ebc3066e22fd25871f06ce15f04162f57b9

SHA512
1a6ed68eced45f30fff3f281ceb082d6ae9e13bc71f6f7da5b4ba064e9876ef7efd76eaffe1325f6e3dfa3a5429200302ea84915245f26ac393105fd1ec365ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
384B

MD5
c93c561465db53bf9a99759de9d25f07

SHA1
5386934828e2c2589bfe394ac1f03ffbfba93bfa

SHA256
32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851

SHA512
bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
815B

MD5
fadf3805f68986d2ee9c82f560a564e4

SHA1
87bcab6ab1fb66ace98eb1d36e54eb9c11628aa6

SHA256
d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759

SHA512
e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
989c5352030fafd44b92adf4d4164738

SHA1
e02985c15eb20682115e3fc343f829e28770ed6c

SHA256
248c7793d113ca762bbe56b974f4c5902339dacb0b47ddd7c412340a623dfe38

SHA512
9ebcfc38952d968d608d68b2e8fbb56f5d02ed03e0e2d02661caeb50f804404d95fc45f22a8376ca88b69548c89c22b6c6a9acbb7fdcb5f6f906bd871b3465f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
1b2949b211ab497b739b1daf37cd4101

SHA1
12cad1063d28129ddd89e80acc2940f8dfbbaab3

SHA256
3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c

SHA512
a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
bef09dc596b7b91eec4f38765e0965b7

SHA1
b8bb8d2eb918e0979b08fd1967dac127874b9de5

SHA256
8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265

SHA512
0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
8a36f3bf3750851d8732b132fa330bb4

SHA1
1cb36be31f3d7d9439aac14af3d7a27f05a980eb

SHA256
5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9

SHA512
a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6bf876cd9994f0d41be4eca36d22c42a

SHA1
50cda4b940e6ba730ce59000cfc59e6c4d7fdc79

SHA256
ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a

SHA512
605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
294976e85ad11a45853f99c1b208723f

SHA1
8d83101d69420b5af97ec517165d849d3ab498fc

SHA256
04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff

SHA512
e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
cd085b8c40e69c2bf1eb3d59f8155b99

SHA1
3499260f24020fe6d54d9d632d34ba2770bb06e0

SHA256
10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c

SHA512
3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
683B

MD5
6fe56f6715b4c328bc5b2b35cb51c7e1

SHA1
8f4c2a2e2704c52fd6f01d9c58e4c7d843d69cc3

SHA256
0686dfa785bc9687be1a2bb42ef6c2e805a03f62b4af6c83bac7031e515189be

SHA512
8a19ba3f6e5678e92a6fd92a84f077e851a53a71a02622d87d5213a79f40540c7bbda17219f9349387e94edc75eb12fd2cb93e3b0abbcf9a85fc7d5e8bf3be0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
701B

MD5
e427a32326a6a806e7b7b4fdbbe0ed4c

SHA1
b10626953332aeb7c524f2a29f47ca8b0bee38b1

SHA256
b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

SHA512
6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5aa228bc61037ddaf7a22dab4a04e9a1

SHA1
b50fcd8f643ea748f989a06e38c778884b3c19f2

SHA256
65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b

SHA512
2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
558e454bc2d99d7949719cf24f540dd2

SHA1
e9c772bcee4ae780cdc28b0b4876385639e59b39

SHA256
677ec2cfe2ae99352aa12ac658d01a7bb0b51cf3cd2c568e94a78754326ca43a

SHA512
5bb10dcf81ccab0b7e2274d3ccdbda5a38014576096fef71725cfa6e16a4bfd29f481f3bc5ad15426fb9918eeca67fff11291a88caf10974433214674c1c1b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
5b77620cb52220f4a82e3551ee0a53a6

SHA1
07d122b8e70ec5887bad4ef8f4d6209df18912d0

SHA256
93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579

SHA512
9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
ff6c57e8ec2b96b8da7fe900f1f3da1c

SHA1
a6f0dc2e2a0a46e1031017b81825173054bf76ae

SHA256
ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6

SHA512
c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc

Download Submit
C:\Windows\SysWOW64\lcpgccj.exe

Filesize
1.4MB

MD5
ae70e848f771cf4213fed3fe2d133315

SHA1
1cfd5997b0bad2af1483bac6d065fc466194dee3

SHA256
dbb1f8653534a072152dcf5a1342525f43f1d66360c36dbe95b552a656e052ab

SHA512
3c6fe5fb05ccdcb47f5607a18f0d899663a7eb0864086804b0164f7951b85aeab498c77ca7702658dab1035c81c936e8dd8f24c4980910e97e8144cb84999e6c

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/112-6630-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/448-5908-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/636-3509-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/820-2652-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/868-3132-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/944-5068-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1060-3012-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1368-966-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1408-5188-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1412-6390-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1492-146-0x0000000004BC0000-0x0000000004F77000-memory.dmp

Filesize
3.7MB

Download
memory/1492-132-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1492-130-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1492-154-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1492-148-0x0000000004BC0000-0x0000000004F77000-memory.dmp

Filesize
3.7MB

Download
memory/1492-131-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1492-136-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1520-6270-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1564-6990-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1580-6508-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1588-3988-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1612-5668-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1620-2054-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1636-176-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1636-310-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1636-189-0x0000000004C60000-0x0000000005017000-memory.dmp

Filesize
3.7MB

Download
memory/1740-3748-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1768-7228-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1792-2772-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1812-3268-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1960-318-0x0000000004B70000-0x0000000004F27000-memory.dmp

Filesize
3.7MB

Download
memory/1960-401-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1960-190-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/1996-1812-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2016-6148-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2024-5788-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2044-977-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2076-3390-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2080-6028-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2100-6748-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2148-4829-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2160-149-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2160-162-0x0000000004C60000-0x0000000005017000-memory.dmp

Filesize
3.7MB

Download
memory/2160-164-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2192-5548-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2220-3254-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2304-4588-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2312-3628-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2316-178-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2316-175-0x0000000004B90000-0x0000000004F47000-memory.dmp

Filesize
3.7MB

Download
memory/2316-163-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2332-1214-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2340-6868-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2344-4468-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2352-860-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2372-1572-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2428-1692-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2432-4708-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2448-4108-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2476-7108-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2500-5428-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2552-4228-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2576-4348-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2640-2294-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2668-2412-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2676-2172-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2744-3868-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2760-4948-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2764-5308-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2820-0-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2820-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2820-4-0x0000000000401000-0x0000000000424000-memory.dmp

Filesize
140KB

Download
memory/2820-134-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2820-128-0x0000000004CF0000-0x00000000050A7000-memory.dmp

Filesize
3.7MB

Download
memory/2820-135-0x0000000004CF0000-0x00000000050A7000-memory.dmp

Filesize
3.7MB

Download
memory/2820-1-0x00000000007C0000-0x00000000008B8000-memory.dmp

Filesize
992KB

Download
memory/2824-1452-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2828-1932-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2864-2534-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2880-696-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2880-576-0x0000000004B50000-0x0000000004F07000-memory.dmp

Filesize
3.7MB

Download
memory/2880-448-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2892-2892-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2948-577-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2948-824-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2948-704-0x0000000004CA0000-0x0000000005057000-memory.dmp

Filesize
3.7MB

Download
memory/2996-446-0x0000000004BF0000-0x0000000004FA7000-memory.dmp

Filesize
3.7MB

Download
memory/2996-447-0x0000000004BF0000-0x0000000004FA7000-memory.dmp

Filesize
3.7MB

Download
memory/2996-319-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2996-450-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/3020-1334-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download