metasploit | ad4cc7d0639d95613f2c3a7b26c644e4bcbd5c4d9325a1dd48b7280124923a7a

Analysis

max time kernel
14s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe
Size

484KB
MD5

d90a33ac1d1845428baec0765efe1796
SHA1

41d4d07095aee2ffe20497a4d1621f764a33ee73
SHA256

ad4cc7d0639d95613f2c3a7b26c644e4bcbd5c4d9325a1dd48b7280124923a7a
SHA512

f98d8ce2efa86f41e6eec39cae9f95064f5e154cc03543960236f77407146e0e35470cdbf9e4bd503fd8ca8ededb4468ee3b06eeeed858e846d96dd0cc3c0d2a
SSDEEP

12288:YRQmDsgDPIAnsJ8Q19/vA80Tk+Lf2hgQmUQj3MFgb0ZCznzMs14AEoeli:yk+Lf27mUJFBunzz4AEoe

Score

10^/10

metasploit backdoor discovery evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies security service 2 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe

Executes dropped EXE 64 IoCs

pid	Process
2864	vggecxi.exe
4044	vggecxi.exe
1168	orukvug.exe
1540	orukvug.exe
1236	jionsjp.exe
2760	jionsjp.exe
1968	ixlsjzs.exe
1744	ixlsjzs.exe
3324	jxnyvzy.exe
3620	jxnyvzy.exe
2300	ohvslee.exe
2768	ohvslee.exe
4040	oosydnh.exe
4724	oosydnh.exe
3692	ozfqrzl.exe
4028	ozfqrzl.exe
4772	qgtbgqm.exe
4156	qgtbgqm.exe
3704	qyulidw.exe
2740	qyulidw.exe
1188	txmwkma.exe
2260	txmwkma.exe
1760	afhwekb.exe
1676	afhwekb.exe
2840	dmpmfbi.exe
4888	dmpmfbi.exe
3252	ohpxnvj.exe
4728	ohpxnvj.exe
2536	dqafiuq.exe
3220	dqafiuq.exe
924	gazubqy.exe
640	gazubqy.exe
2112	isrstmg.exe
2440	isrstmg.exe
3856	tchpyca.exe
5108	tchpyca.exe
3356	yzefldh.exe
4060	yzefldh.exe
3152	dmxnffm.exe
2008	dmxnffm.exe
3660	iwninks.exe
3104	iwninks.exe
4920	qomiczw.exe
2368	qomiczw.exe
3652	yplbiga.exe
1564	yplbiga.exe
972	lfgdrox.exe
1628	lfgdrox.exe
668	vbhwgig.exe
3048	vbhwgig.exe
2892	iknyjiy.exe
756	iknyjiy.exe
4344	vbibsie.exe
2356	vbibsie.exe
1932	gxjtace.exe
2232	gxjtace.exe
2028	qscehxf.exe
324	qscehxf.exe
1492	ywmrzqq.exe
396	ywmrzqq.exe
4576	ljdhemp.exe
1292	ljdhemp.exe
2248	vqheplw.exe
4748	vqheplw.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tchpyca.exe	isrstmg.exe
File created	C:\Windows\SysWOW64\qomiczw.exe	iwninks.exe
File created	C:\Windows\SysWOW64\lzdkjph.exe	dvtxsdx.exe
File opened for modification	C:\Windows\SysWOW64\txmwkma.exe	qyulidw.exe
File opened for modification	C:\Windows\SysWOW64\afhwekb.exe	txmwkma.exe
File opened for modification	C:\Windows\SysWOW64\dqafiuq.exe	ohpxnvj.exe
File opened for modification	C:\Windows\SysWOW64\qlmmpef.exe	fquchje.exe
File opened for modification	C:\Windows\SysWOW64\qpkqcko.exe	ilaclzl.exe
File opened for modification	C:\Windows\SysWOW64\qomiczw.exe	iwninks.exe
File created	C:\Windows\SysWOW64\ywmrzqq.exe	qscehxf.exe
File created	C:\Windows\SysWOW64\ljdhemp.exe	ywmrzqq.exe
File opened for modification	C:\Windows\SysWOW64\qscehxf.exe	gxjtace.exe
File opened for modification	C:\Windows\SysWOW64\ywmrzqq.exe	qscehxf.exe
File opened for modification	C:\Windows\SysWOW64\dmpmfbi.exe	afhwekb.exe
File opened for modification	C:\Windows\SysWOW64\yplbiga.exe	qomiczw.exe
File created	C:\Windows\SysWOW64\vbhwgig.exe	lfgdrox.exe
File created	C:\Windows\SysWOW64\ilaclzl.exe	dzoiacl.exe
File created	C:\Windows\SysWOW64\jionsjp.exe	orukvug.exe
File created	C:\Windows\SysWOW64\ixlsjzs.exe	jionsjp.exe
File created	C:\Windows\SysWOW64\dqafiuq.exe	ohpxnvj.exe
File opened for modification	C:\Windows\SysWOW64\dmxnffm.exe	yzefldh.exe
File opened for modification	C:\Windows\SysWOW64\iwninks.exe	dmxnffm.exe
File opened for modification	C:\Windows\SysWOW64\ljdhemp.exe	ywmrzqq.exe
File created	C:\Windows\SysWOW64\jxnyvzy.exe	ixlsjzs.exe
File created	C:\Windows\SysWOW64\ozfqrzl.exe	oosydnh.exe
File created	C:\Windows\SysWOW64\qgtbgqm.exe	ozfqrzl.exe
File opened for modification	C:\Windows\SysWOW64\dvtxsdx.exe	qlmmpef.exe
File opened for modification	C:\Windows\SysWOW64\jxnyvzy.exe	ixlsjzs.exe
File opened for modification	C:\Windows\SysWOW64\qgtbgqm.exe	ozfqrzl.exe
File created	C:\Windows\SysWOW64\qyulidw.exe	qgtbgqm.exe
File created	C:\Windows\SysWOW64\isrstmg.exe	gazubqy.exe
File opened for modification	C:\Windows\SysWOW64\yzefldh.exe	tchpyca.exe
File opened for modification	C:\Windows\SysWOW64\orukvug.exe	vggecxi.exe
File opened for modification	C:\Windows\SysWOW64\jionsjp.exe	orukvug.exe
File opened for modification	C:\Windows\SysWOW64\ixlsjzs.exe	jionsjp.exe
File opened for modification	C:\Windows\SysWOW64\lzdkjph.exe	dvtxsdx.exe
File created	C:\Windows\SysWOW64\dmpmfbi.exe	afhwekb.exe
File created	C:\Windows\SysWOW64\lfgdrox.exe	yplbiga.exe
File created	C:\Windows\SysWOW64\qlmmpef.exe	fquchje.exe
File created	C:\Windows\SysWOW64\gxjtace.exe	vbibsie.exe
File opened for modification	C:\Windows\SysWOW64\gxjtace.exe	vbibsie.exe
File created	C:\Windows\SysWOW64\fquchje.exe	vqheplw.exe
File created	C:\Windows\SysWOW64\qpkqcko.exe	ilaclzl.exe
File created	C:\Windows\SysWOW64\ohpxnvj.exe	dmpmfbi.exe
File opened for modification	C:\Windows\SysWOW64\gazubqy.exe	dqafiuq.exe
File created	C:\Windows\SysWOW64\yzefldh.exe	tchpyca.exe
File created	C:\Windows\SysWOW64\dmxnffm.exe	yzefldh.exe
File created	C:\Windows\SysWOW64\iwninks.exe	dmxnffm.exe
File created	C:\Windows\SysWOW64\vbibsie.exe	iknyjiy.exe
File created	C:\Windows\SysWOW64\qscehxf.exe	gxjtace.exe
File opened for modification	C:\Windows\SysWOW64\vjthonb.exe	lzdkjph.exe
File opened for modification	C:\Windows\SysWOW64\vggecxi.exe	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\oosydnh.exe	ohvslee.exe
File opened for modification	C:\Windows\SysWOW64\qyulidw.exe	qgtbgqm.exe
File opened for modification	C:\Windows\SysWOW64\dzoiacl.exe	vjthonb.exe
File created	C:\Windows\SysWOW64\xtudmvz.exe	qpkqcko.exe
File created	C:\Windows\SysWOW64\yplbiga.exe	qomiczw.exe
File created	C:\Windows\SysWOW64\vqheplw.exe	ljdhemp.exe
File opened for modification	C:\Windows\SysWOW64\futvakd.exe	xtudmvz.exe
File created	C:\Windows\SysWOW64\vggecxi.exe	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ohvslee.exe	jxnyvzy.exe
File opened for modification	C:\Windows\SysWOW64\oosydnh.exe	ohvslee.exe
File opened for modification	C:\Windows\SysWOW64\vbhwgig.exe	lfgdrox.exe
File created	C:\Windows\SysWOW64\iknyjiy.exe	vbhwgig.exe

Suspicious use of SetThreadContext 41 IoCs

description	pid	Process	procid_target
PID 4532 set thread context of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 2864 set thread context of 4044	2864	vggecxi.exe	95
PID 1168 set thread context of 1540	1168	orukvug.exe	112
PID 1236 set thread context of 2760	1236	jionsjp.exe	130
PID 1968 set thread context of 1744	1968	ixlsjzs.exe	151
PID 3324 set thread context of 3620	3324	jxnyvzy.exe	166
PID 2300 set thread context of 2768	2300	ohvslee.exe	182
PID 4040 set thread context of 4724	4040	oosydnh.exe	201
PID 3692 set thread context of 4028	3692	ozfqrzl.exe	222
PID 4772 set thread context of 4156	4772	qgtbgqm.exe	242
PID 3704 set thread context of 2740	3704	qyulidw.exe	257
PID 1188 set thread context of 2260	1188	txmwkma.exe	273
PID 1760 set thread context of 1676	1760	afhwekb.exe	294
PID 2840 set thread context of 4888	2840	dmpmfbi.exe	309
PID 3252 set thread context of 4728	3252	ohpxnvj.exe	334
PID 2536 set thread context of 3220	2536	dqafiuq.exe	348
PID 924 set thread context of 640	924	gazubqy.exe	364
PID 2112 set thread context of 2440	2112	isrstmg.exe	382
PID 3856 set thread context of 5108	3856	tchpyca.exe	399
PID 3356 set thread context of 4060	3356	yzefldh.exe	417
PID 3152 set thread context of 2008	3152	dmxnffm.exe	436
PID 3660 set thread context of 3104	3660	iwninks.exe	454
PID 4920 set thread context of 2368	4920	qomiczw.exe	476
PID 3652 set thread context of 1564	3652	yplbiga.exe	490
PID 972 set thread context of 1628	972	lfgdrox.exe	508
PID 2892 set thread context of 756	2892	iknyjiy.exe	544
PID 4344 set thread context of 2356	4344	vbibsie.exe	562
PID 1932 set thread context of 2232	1932	gxjtace.exe	585
PID 2028 set thread context of 324	2028	qscehxf.exe	601
PID 1492 set thread context of 396	1492	ywmrzqq.exe	618
PID 4576 set thread context of 1292	4576	ljdhemp.exe	636
PID 2248 set thread context of 4748	2248	vqheplw.exe	654
PID 1480 set thread context of 1748	1480	fquchje.exe	673
PID 3348 set thread context of 860	3348	qlmmpef.exe	691
PID 2016 set thread context of 2224	2016	dvtxsdx.exe	709
PID 4864 set thread context of 1228	4864	lzdkjph.exe	723
PID 1096 set thread context of 768	1096	vjthonb.exe	742
PID 3360 set thread context of 4324	3360	dzoiacl.exe	759
PID 4440 set thread context of 3580	4440	ilaclzl.exe	778
PID 3520 set thread context of 4260	3520	qpkqcko.exe	796
PID 3204 set thread context of 3904	3204	xtudmvz.exe	814

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qgtbgqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ixlsjzs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qscehxf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfgdrox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfgdrox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmxnffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vqheplw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qpkqcko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qomiczw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qlmmpef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dzoiacl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe
2864	vggecxi.exe
1168	orukvug.exe
1236	jionsjp.exe
1968	ixlsjzs.exe
3324	jxnyvzy.exe
2300	ohvslee.exe
4040	oosydnh.exe
3692	ozfqrzl.exe
4772	qgtbgqm.exe
3704	qyulidw.exe
1188	txmwkma.exe
1760	afhwekb.exe
2840	dmpmfbi.exe
3252	ohpxnvj.exe
2536	dqafiuq.exe
924	gazubqy.exe
2112	isrstmg.exe
3856	tchpyca.exe
3356	yzefldh.exe
3152	dmxnffm.exe
3660	iwninks.exe
4920	qomiczw.exe
3652	yplbiga.exe
972	lfgdrox.exe
2892	iknyjiy.exe
4344	vbibsie.exe
1932	gxjtace.exe
2028	qscehxf.exe
1492	ywmrzqq.exe
4576	ljdhemp.exe
2248	vqheplw.exe
1480	fquchje.exe
3348	qlmmpef.exe
2016	dvtxsdx.exe
4864	lzdkjph.exe
1096	vjthonb.exe
3360	dzoiacl.exe
4440	ilaclzl.exe
3520	qpkqcko.exe
3204	xtudmvz.exe
3020	futvakd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 4532 wrote to memory of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 4532 wrote to memory of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 4532 wrote to memory of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 4532 wrote to memory of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 4532 wrote to memory of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 4532 wrote to memory of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 4532 wrote to memory of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 4532 wrote to memory of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 4532 wrote to memory of 892	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	82
PID 4532 wrote to memory of 4104	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	83
PID 4532 wrote to memory of 4104	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	83
PID 4532 wrote to memory of 4104	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	83
PID 4532 wrote to memory of 3256	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	84
PID 4532 wrote to memory of 3256	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	84
PID 4532 wrote to memory of 3256	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	84
PID 4532 wrote to memory of 448	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	85
PID 4532 wrote to memory of 448	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	85
PID 4532 wrote to memory of 448	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	85
PID 4532 wrote to memory of 4576	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	86
PID 4532 wrote to memory of 4576	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	86
PID 4532 wrote to memory of 4576	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	86
PID 4532 wrote to memory of 1648	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	87
PID 4532 wrote to memory of 1648	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	87
PID 4532 wrote to memory of 1648	4532	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	87
PID 892 wrote to memory of 2864	892	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	93
PID 892 wrote to memory of 2864	892	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	93
PID 892 wrote to memory of 2864	892	d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe	93
PID 3256 wrote to memory of 1184	3256	cmd.exe	254
PID 3256 wrote to memory of 1184	3256	cmd.exe	254
PID 3256 wrote to memory of 1184	3256	cmd.exe	254
PID 2864 wrote to memory of 4044	2864	vggecxi.exe	95
PID 2864 wrote to memory of 4044	2864	vggecxi.exe	95
PID 2864 wrote to memory of 4044	2864	vggecxi.exe	95
PID 2864 wrote to memory of 4044	2864	vggecxi.exe	95
PID 2864 wrote to memory of 4044	2864	vggecxi.exe	95
PID 2864 wrote to memory of 4044	2864	vggecxi.exe	95
PID 2864 wrote to memory of 4044	2864	vggecxi.exe	95
PID 2864 wrote to memory of 4044	2864	vggecxi.exe	95
PID 2864 wrote to memory of 4044	2864	vggecxi.exe	95
PID 2864 wrote to memory of 4044	2864	vggecxi.exe	95
PID 2864 wrote to memory of 3200	2864	vggecxi.exe	96
PID 2864 wrote to memory of 3200	2864	vggecxi.exe	96
PID 2864 wrote to memory of 3200	2864	vggecxi.exe	96
PID 2864 wrote to memory of 544	2864	vggecxi.exe	97
PID 2864 wrote to memory of 544	2864	vggecxi.exe	97
PID 2864 wrote to memory of 544	2864	vggecxi.exe	97
PID 2864 wrote to memory of 4540	2864	vggecxi.exe	379
PID 2864 wrote to memory of 4540	2864	vggecxi.exe	379
PID 2864 wrote to memory of 4540	2864	vggecxi.exe	379
PID 2864 wrote to memory of 2264	2864	vggecxi.exe	99
PID 2864 wrote to memory of 2264	2864	vggecxi.exe	99
PID 2864 wrote to memory of 2264	2864	vggecxi.exe	99
PID 2864 wrote to memory of 3304	2864	vggecxi.exe	266
PID 2864 wrote to memory of 3304	2864	vggecxi.exe	266
PID 2864 wrote to memory of 3304	2864	vggecxi.exe	266
PID 1184 wrote to memory of 1020	1184	net.exe	101
PID 1184 wrote to memory of 1020	1184	net.exe	101
PID 1184 wrote to memory of 1020	1184	net.exe	101
PID 4104 wrote to memory of 5072	4104	cmd.exe	104
PID 4104 wrote to memory of 5072	4104	cmd.exe	104
PID 4104 wrote to memory of 5072	4104	cmd.exe	104
PID 1648 wrote to memory of 5068	1648	cmd.exe	105
PID 1648 wrote to memory of 5068	1648	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d90a33ac1d1845428baec0765efe1796_JaffaCakes118
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\vggecxi.exe
    C:\Windows\system32\vggecxi.exe 988 "C:\Users\Admin\AppData\Local\Temp\d90a33ac1d1845428baec0765efe1796_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\vggecxi.exe
      C:\Windows\SysWOW64\vggecxi
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:4044
    - - C:\Windows\SysWOW64\orukvug.exe
        
        C:\Windows\system32\orukvug.exe 1016 "C:\Windows\SysWOW64\vggecxi.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1168
      - C:\Windows\SysWOW64\orukvug.exe
        
        C:\Windows\SysWOW64\orukvug
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\jionsjp.exe
        
        C:\Windows\system32\jionsjp.exe 1016 "C:\Windows\SysWOW64\orukvug.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Windows\SysWOW64\jionsjp.exe
        
        C:\Windows\SysWOW64\jionsjp
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\ixlsjzs.exe
        
        C:\Windows\system32\ixlsjzs.exe 1016 "C:\Windows\SysWOW64\jionsjp.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\ixlsjzs.exe
        
        C:\Windows\SysWOW64\ixlsjzs
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\jxnyvzy.exe
        
        C:\Windows\system32\jxnyvzy.exe 1016 "C:\Windows\SysWOW64\ixlsjzs.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3324
        
        C:\Windows\SysWOW64\jxnyvzy.exe
        
        C:\Windows\SysWOW64\jxnyvzy
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\ohvslee.exe
        
        C:\Windows\system32\ohvslee.exe 1016 "C:\Windows\SysWOW64\jxnyvzy.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\ohvslee.exe
        
        C:\Windows\SysWOW64\ohvslee
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\oosydnh.exe
        
        C:\Windows\system32\oosydnh.exe 1020 "C:\Windows\SysWOW64\ohvslee.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        C:\Windows\SysWOW64\oosydnh.exe
        
        C:\Windows\SysWOW64\oosydnh
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\ozfqrzl.exe
        
        C:\Windows\system32\ozfqrzl.exe 1044 "C:\Windows\SysWOW64\oosydnh.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3692
        
        C:\Windows\SysWOW64\ozfqrzl.exe
        
        C:\Windows\SysWOW64\ozfqrzl
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\qgtbgqm.exe
        
        C:\Windows\system32\qgtbgqm.exe 1044 "C:\Windows\SysWOW64\ozfqrzl.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4772
        
        C:\Windows\SysWOW64\qgtbgqm.exe
        
        C:\Windows\SysWOW64\qgtbgqm
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\qyulidw.exe
        
        C:\Windows\system32\qyulidw.exe 1016 "C:\Windows\SysWOW64\qgtbgqm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3704
        
        C:\Windows\SysWOW64\qyulidw.exe
        
        C:\Windows\SysWOW64\qyulidw
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\txmwkma.exe
        
        C:\Windows\system32\txmwkma.exe 1044 "C:\Windows\SysWOW64\qyulidw.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Windows\SysWOW64\txmwkma.exe
        
        C:\Windows\SysWOW64\txmwkma
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\afhwekb.exe
        
        C:\Windows\system32\afhwekb.exe 1016 "C:\Windows\SysWOW64\txmwkma.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\afhwekb.exe
        
        C:\Windows\SysWOW64\afhwekb
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\dmpmfbi.exe
        
        C:\Windows\system32\dmpmfbi.exe 1016 "C:\Windows\SysWOW64\afhwekb.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\dmpmfbi.exe
        
        C:\Windows\SysWOW64\dmpmfbi
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\ohpxnvj.exe
        
        C:\Windows\system32\ohpxnvj.exe 1044 "C:\Windows\SysWOW64\dmpmfbi.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3252
        
        C:\Windows\SysWOW64\ohpxnvj.exe
        
        C:\Windows\SysWOW64\ohpxnvj
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\dqafiuq.exe
        
        C:\Windows\system32\dqafiuq.exe 1088 "C:\Windows\SysWOW64\ohpxnvj.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\dqafiuq.exe
        
        C:\Windows\SysWOW64\dqafiuq
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\gazubqy.exe
        
        C:\Windows\system32\gazubqy.exe 1056 "C:\Windows\SysWOW64\dqafiuq.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\gazubqy.exe
        
        C:\Windows\SysWOW64\gazubqy
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\isrstmg.exe
        
        C:\Windows\system32\isrstmg.exe 1016 "C:\Windows\SysWOW64\gazubqy.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\isrstmg.exe
        
        C:\Windows\SysWOW64\isrstmg
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2440
        
        C:\Windows\SysWOW64\tchpyca.exe
        
        C:\Windows\system32\tchpyca.exe 1016 "C:\Windows\SysWOW64\isrstmg.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3856
        
        C:\Windows\SysWOW64\tchpyca.exe
        
        C:\Windows\SysWOW64\tchpyca
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\yzefldh.exe
        
        C:\Windows\system32\yzefldh.exe 1016 "C:\Windows\SysWOW64\tchpyca.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3356
        
        C:\Windows\SysWOW64\yzefldh.exe
        
        C:\Windows\SysWOW64\yzefldh
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\dmxnffm.exe
        
        C:\Windows\system32\dmxnffm.exe 1028 "C:\Windows\SysWOW64\yzefldh.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3152
        
        C:\Windows\SysWOW64\dmxnffm.exe
        
        C:\Windows\SysWOW64\dmxnffm
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\iwninks.exe
        
        C:\Windows\system32\iwninks.exe 1044 "C:\Windows\SysWOW64\dmxnffm.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        C:\Windows\SysWOW64\iwninks.exe
        
        C:\Windows\SysWOW64\iwninks
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\qomiczw.exe
        
        C:\Windows\system32\qomiczw.exe 1044 "C:\Windows\SysWOW64\iwninks.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4920
        
        C:\Windows\SysWOW64\qomiczw.exe
        
        C:\Windows\SysWOW64\qomiczw
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\yplbiga.exe
        
        C:\Windows\system32\yplbiga.exe 1016 "C:\Windows\SysWOW64\qomiczw.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3652
        
        C:\Windows\SysWOW64\yplbiga.exe
        
        C:\Windows\SysWOW64\yplbiga
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\lfgdrox.exe
        
        C:\Windows\system32\lfgdrox.exe 1148 "C:\Windows\SysWOW64\yplbiga.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Windows\SysWOW64\lfgdrox.exe
        
        C:\Windows\SysWOW64\lfgdrox
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\vbhwgig.exe
        
        C:\Windows\system32\vbhwgig.exe 1056 "C:\Windows\SysWOW64\lfgdrox.exe"
        51⤵
        Executes dropped EXE
        
        PID:668
        
        C:\Windows\SysWOW64\vbhwgig.exe
        
        C:\Windows\SysWOW64\vbhwgig
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\iknyjiy.exe
        
        C:\Windows\system32\iknyjiy.exe 1044 "C:\Windows\SysWOW64\vbhwgig.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\iknyjiy.exe
        
        C:\Windows\SysWOW64\iknyjiy
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\vbibsie.exe
        
        C:\Windows\system32\vbibsie.exe 1052 "C:\Windows\SysWOW64\iknyjiy.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Windows\SysWOW64\vbibsie.exe
        
        C:\Windows\SysWOW64\vbibsie
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\gxjtace.exe
        
        C:\Windows\system32\gxjtace.exe 1052 "C:\Windows\SysWOW64\vbibsie.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\gxjtace.exe
        
        C:\Windows\SysWOW64\gxjtace
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\qscehxf.exe
        
        C:\Windows\system32\qscehxf.exe 1192 "C:\Windows\SysWOW64\gxjtace.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\qscehxf.exe
        
        C:\Windows\SysWOW64\qscehxf
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\ywmrzqq.exe
        
        C:\Windows\system32\ywmrzqq.exe 1052 "C:\Windows\SysWOW64\qscehxf.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Windows\SysWOW64\ywmrzqq.exe
        
        C:\Windows\SysWOW64\ywmrzqq
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\ljdhemp.exe
        
        C:\Windows\system32\ljdhemp.exe 1148 "C:\Windows\SysWOW64\ywmrzqq.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4576
        
        C:\Windows\SysWOW64\ljdhemp.exe
        
        C:\Windows\SysWOW64\ljdhemp
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\vqheplw.exe
        
        C:\Windows\system32\vqheplw.exe 1040 "C:\Windows\SysWOW64\ljdhemp.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\vqheplw.exe
        
        C:\Windows\SysWOW64\vqheplw
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\fquchje.exe
        
        C:\Windows\system32\fquchje.exe 1092 "C:\Windows\SysWOW64\vqheplw.exe"
        67⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Windows\SysWOW64\fquchje.exe
        
        C:\Windows\SysWOW64\fquchje
        68⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\qlmmpef.exe
        
        C:\Windows\system32\qlmmpef.exe 1148 "C:\Windows\SysWOW64\fquchje.exe"
        69⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3348
        
        C:\Windows\SysWOW64\qlmmpef.exe
        
        C:\Windows\SysWOW64\qlmmpef
        70⤵
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\dvtxsdx.exe
        
        C:\Windows\system32\dvtxsdx.exe 1148 "C:\Windows\SysWOW64\qlmmpef.exe"
        71⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\dvtxsdx.exe
        
        C:\Windows\SysWOW64\dvtxsdx
        72⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\lzdkjph.exe
        
        C:\Windows\system32\lzdkjph.exe 1044 "C:\Windows\SysWOW64\dvtxsdx.exe"
        73⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4864
        
        C:\Windows\SysWOW64\lzdkjph.exe
        
        C:\Windows\SysWOW64\lzdkjph
        74⤵
        Drops file in System32 directory
        
        PID:1228
        
        C:\Windows\SysWOW64\vjthonb.exe
        
        C:\Windows\system32\vjthonb.exe 1044 "C:\Windows\SysWOW64\lzdkjph.exe"
        75⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1096
        
        C:\Windows\SysWOW64\vjthonb.exe
        
        C:\Windows\SysWOW64\vjthonb
        76⤵
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\dzoiacl.exe
        
        C:\Windows\system32\dzoiacl.exe 1056 "C:\Windows\SysWOW64\vjthonb.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3360
        
        C:\Windows\SysWOW64\dzoiacl.exe
        
        C:\Windows\SysWOW64\dzoiacl
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\ilaclzl.exe
        
        C:\Windows\system32\ilaclzl.exe 1044 "C:\Windows\SysWOW64\dzoiacl.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Windows\SysWOW64\ilaclzl.exe
        
        C:\Windows\SysWOW64\ilaclzl
        80⤵
        Drops file in System32 directory
        
        PID:3580
        
        C:\Windows\SysWOW64\qpkqcko.exe
        
        C:\Windows\system32\qpkqcko.exe 1016 "C:\Windows\SysWOW64\ilaclzl.exe"
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3520
        
        C:\Windows\SysWOW64\qpkqcko.exe
        
        C:\Windows\SysWOW64\qpkqcko
        82⤵
        Drops file in System32 directory
        
        PID:4260
        
        C:\Windows\SysWOW64\xtudmvz.exe
        
        C:\Windows\system32\xtudmvz.exe 1020 "C:\Windows\SysWOW64\qpkqcko.exe"
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3204
        
        C:\Windows\SysWOW64\xtudmvz.exe
        
        C:\Windows\SysWOW64\xtudmvz
        84⤵
        Drops file in System32 directory
        
        PID:3904
        
        C:\Windows\SysWOW64\futvakd.exe
        
        C:\Windows\system32\futvakd.exe 1044 "C:\Windows\SysWOW64\xtudmvz.exe"
        85⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\futvakd.exe
        
        C:\Windows\SysWOW64\futvakd
        86⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\nnsvhry.exe
        
        C:\Windows\system32\nnsvhry.exe 1048 "C:\Windows\SysWOW64\futvakd.exe"
        87⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\nnsvhry.exe
        
        C:\Windows\SysWOW64\nnsvhry
        88⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\yfibuha.exe
        
        C:\Windows\system32\yfibuha.exe 1056 "C:\Windows\SysWOW64\nnsvhry.exe"
        89⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\yfibuha.exe
        
        C:\Windows\SysWOW64\yfibuha
        90⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\fjsodad.exe
        
        C:\Windows\system32\fjsodad.exe 1048 "C:\Windows\SysWOW64\yfibuha.exe"
        91⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\fjsodad.exe
        
        C:\Windows\SysWOW64\fjsodad
        92⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\nnctvlo.exe
        
        C:\Windows\system32\nnctvlo.exe 1016 "C:\Windows\SysWOW64\fjsodad.exe"
        93⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\nnctvlo.exe
        
        C:\Windows\SysWOW64\nnctvlo
        94⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\spkodqu.exe
        
        C:\Windows\system32\spkodqu.exe 1044 "C:\Windows\SysWOW64\nnctvlo.exe"
        95⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\spkodqu.exe
        
        C:\Windows\SysWOW64\spkodqu
        96⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\xqsrtos.exe
        
        C:\Windows\system32\xqsrtos.exe 1020 "C:\Windows\SysWOW64\spkodqu.exe"
        97⤵
        
        PID:624
        
        C:\Windows\SysWOW64\xqsrtos.exe
        
        C:\Windows\SysWOW64\xqsrtos
        98⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\frrjicw.exe
        
        C:\Windows\system32\frrjicw.exe 1052 "C:\Windows\SysWOW64\xqsrtos.exe"
        99⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\frrjicw.exe
        
        C:\Windows\SysWOW64\frrjicw
        100⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\tayulcw.exe
        
        C:\Windows\system32\tayulcw.exe 1052 "C:\Windows\SysWOW64\frrjicw.exe"
        101⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\tayulcw.exe
        
        C:\Windows\SysWOW64\tayulcw
        102⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\pqcphih.exe
        
        C:\Windows\system32\pqcphih.exe 1020 "C:\Windows\SysWOW64\tayulcw.exe"
        103⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\pqcphih.exe
        
        C:\Windows\SysWOW64\pqcphih
        104⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\axhzjuc.exe
        
        C:\Windows\system32\axhzjuc.exe 1016 "C:\Windows\SysWOW64\pqcphih.exe"
        105⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\axhzjuc.exe
        
        C:\Windows\SysWOW64\axhzjuc
        106⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\fgpczzi.exe
        
        C:\Windows\system32\fgpczzi.exe 1048 "C:\Windows\SysWOW64\axhzjuc.exe"
        107⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\fgpczzi.exe
        
        C:\Windows\SysWOW64\fgpczzi
        108⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\klicljn.exe
        
        C:\Windows\system32\klicljn.exe 1052 "C:\Windows\SysWOW64\fgpczzi.exe"
        109⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\klicljn.exe
        
        C:\Windows\SysWOW64\klicljn
        110⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\smhczqr.exe
        
        C:\Windows\system32\smhczqr.exe 1044 "C:\Windows\SysWOW64\klicljn.exe"
        111⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\smhczqr.exe
        
        C:\Windows\SysWOW64\smhczqr
        112⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\aqspjbu.exe
        
        C:\Windows\system32\aqspjbu.exe 1016 "C:\Windows\SysWOW64\smhczqr.exe"
        113⤵
        
        PID:468
        
        C:\Windows\SysWOW64\aqspjbu.exe
        
        C:\Windows\SysWOW64\aqspjbu
        114⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\nzysmau.exe
        
        C:\Windows\system32\nzysmau.exe 1056 "C:\Windows\SysWOW64\aqspjbu.exe"
        115⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\nzysmau.exe
        
        C:\Windows\SysWOW64\nzysmau
        116⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\sxvizbt.exe
        
        C:\Windows\system32\sxvizbt.exe 1056 "C:\Windows\SysWOW64\nzysmau.exe"
        117⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\sxvizbt.exe
        
        C:\Windows\SysWOW64\sxvizbt
        118⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\afqaurc.exe
        
        C:\Windows\system32\afqaurc.exe 1016 "C:\Windows\SysWOW64\sxvizbt.exe"
        119⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\afqaurc.exe
        
        C:\Windows\SysWOW64\afqaurc
        120⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\kxgfyhe.exe
        
        C:\Windows\system32\kxgfyhe.exe 1044 "C:\Windows\SysWOW64\afqaurc.exe"
        121⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\kxgfyhe.exe
        
        C:\Windows\SysWOW64\kxgfyhe
        122⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\sbqtqah.exe
        
        C:\Windows\system32\sbqtqah.exe 1032 "C:\Windows\SysWOW64\kxgfyhe.exe"
        123⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\sbqtqah.exe
        
        C:\Windows\SysWOW64\sbqtqah
        124⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\axsyzlk.exe
        
        C:\Windows\system32\axsyzlk.exe 1040 "C:\Windows\SysWOW64\sbqtqah.exe"
        125⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\axsyzlk.exe
        
        C:\Windows\SysWOW64\axsyzlk
        126⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\iyryoso.exe
        
        C:\Windows\system32\iyryoso.exe 1044 "C:\Windows\SysWOW64\axsyzlk.exe"
        127⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\iyryoso.exe
        
        C:\Windows\SysWOW64\iyryoso
        128⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\pcblxly.exe
        
        C:\Windows\system32\pcblxly.exe 1016 "C:\Windows\SysWOW64\iyryoso.exe"
        129⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\pcblxly.exe
        
        C:\Windows\SysWOW64\pcblxly
        130⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\yomlgjp.exe
        
        C:\Windows\system32\yomlgjp.exe 1016 "C:\Windows\SysWOW64\pcblxly.exe"
        131⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\yomlgjp.exe
        
        C:\Windows\SysWOW64\yomlgjp
        132⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\fswyqca.exe
        
        C:\Windows\system32\fswyqca.exe 1040 "C:\Windows\SysWOW64\yomlgjp.exe"
        133⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\fswyqca.exe
        
        C:\Windows\SysWOW64\fswyqca
        134⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\icnoiyz.exe
        
        C:\Windows\system32\icnoiyz.exe 1044 "C:\Windows\SysWOW64\fswyqca.exe"
        135⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\icnoiyz.exe
        
        C:\Windows\SysWOW64\icnoiyz
        136⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\nakwvrh.exe
        
        C:\Windows\system32\nakwvrh.exe 1056 "C:\Windows\SysWOW64\icnoiyz.exe"
        137⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\nakwvrh.exe
        
        C:\Windows\SysWOW64\nakwvrh
        138⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\sneepbl.exe
        
        C:\Windows\system32\sneepbl.exe 1032 "C:\Windows\SysWOW64\nakwvrh.exe"
        139⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\sneepbl.exe
        
        C:\Windows\SysWOW64\sneepbl
        140⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\cifwwwm.exe
        
        C:\Windows\system32\cifwwwm.exe 1016 "C:\Windows\SysWOW64\sneepbl.exe"
        141⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cifwwwm.exe
        
        C:\Windows\SysWOW64\cifwwwm
        142⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\kbewdcq.exe
        
        C:\Windows\system32\kbewdcq.exe 1016 "C:\Windows\SysWOW64\cifwwwm.exe"
        143⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\kbewdcq.exe
        
        C:\Windows\SysWOW64\kbewdcq
        144⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\pkmrtiw.exe
        
        C:\Windows\system32\pkmrtiw.exe 1016 "C:\Windows\SysWOW64\kbewdcq.exe"
        145⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\pkmrtiw.exe
        
        C:\Windows\SysWOW64\pkmrtiw
        146⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\xdlsixa.exe
        
        C:\Windows\system32\xdlsixa.exe 1016 "C:\Windows\SysWOW64\pkmrtiw.exe"
        147⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\xdlsixa.exe
        
        C:\Windows\SysWOW64\xdlsixa
        148⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\fahfmzx.exe
        
        C:\Windows\system32\fahfmzx.exe 1052 "C:\Windows\SysWOW64\xdlsixa.exe"
        149⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\fahfmzx.exe
        
        C:\Windows\SysWOW64\fahfmzx
        150⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\nerkdka.exe
        
        C:\Windows\system32\nerkdka.exe 1016 "C:\Windows\SysWOW64\fahfmzx.exe"
        151⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\nerkdka.exe
        
        C:\Windows\SysWOW64\nerkdka
        152⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\ubtxmdl.exe
        
        C:\Windows\system32\ubtxmdl.exe 1044 "C:\Windows\SysWOW64\nerkdka.exe"
        153⤵
        
        PID:464
        
        C:\Windows\SysWOW64\ubtxmdl.exe
        
        C:\Windows\SysWOW64\ubtxmdl
        154⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\fpfqopg.exe
        
        C:\Windows\system32\fpfqopg.exe 1092 "C:\Windows\SysWOW64\ubtxmdl.exe"
        155⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\fpfqopg.exe
        
        C:\Windows\SysWOW64\fpfqopg
        156⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        156⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        156⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        156⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        156⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        154⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        154⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        154⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        154⤵
        
        PID:4580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        154⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        152⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        153⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        154⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        152⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        153⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        154⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        152⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        152⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        153⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        152⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        153⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        150⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        151⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        152⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        150⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        151⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        152⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        150⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        150⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        151⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        150⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        151⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        148⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        149⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        150⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        148⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        149⤵
        
        PID:432
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        150⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        148⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        148⤵
        
        PID:5964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        149⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        148⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        149⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        146⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        147⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        148⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        146⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        147⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        148⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        146⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        146⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        147⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        146⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        147⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        144⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        145⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        146⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        144⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        145⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        146⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        144⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        144⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        145⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        144⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        145⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        142⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        143⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        144⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        142⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        143⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        144⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        142⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        142⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        143⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        142⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        143⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        140⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        141⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        142⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        140⤵
        
        PID:392
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        141⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        142⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        140⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        140⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        141⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        140⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        141⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        138⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        139⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        140⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        138⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        139⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        140⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        138⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        138⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        139⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        138⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        139⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        136⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        137⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        138⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        136⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        137⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        138⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        136⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        136⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        137⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        136⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        137⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        134⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        135⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        136⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        134⤵
        
        PID:5752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        135⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        136⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        134⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        134⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        135⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        134⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        135⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        132⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        133⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        134⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        132⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        133⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        134⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        132⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        132⤵
        
        PID:4872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        133⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        132⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        133⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        130⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        131⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        132⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        130⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        131⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        132⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        130⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        130⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        131⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        130⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        131⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        128⤵
        
        PID:64
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        129⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        130⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        128⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        129⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        130⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        128⤵
        
        PID:1848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        128⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        129⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        128⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        129⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        126⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        127⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        128⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        126⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        127⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        128⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        126⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        126⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        127⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        126⤵
        
        PID:5208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        127⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        124⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        125⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        126⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        124⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        125⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        126⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        124⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        124⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        125⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        124⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        125⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        122⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        123⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        124⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        122⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        123⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        124⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        122⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        122⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        123⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        122⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        123⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        120⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        121⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        122⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        120⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        121⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        122⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        120⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        120⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        121⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        120⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        121⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        118⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        119⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        120⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        118⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        119⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        120⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        118⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        118⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        119⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        118⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        119⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        116⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        117⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        118⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        116⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        117⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        118⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        116⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        116⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        117⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        116⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        117⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        114⤵
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        115⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        116⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        114⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        115⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        116⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        114⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        114⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        115⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        114⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        115⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        112⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        113⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        114⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        112⤵
        
        PID:4192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        113⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        114⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        112⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        112⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        113⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        112⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        113⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        110⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        111⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        112⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        110⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        111⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        112⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        110⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        110⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        111⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        110⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        111⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        108⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        109⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        110⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        108⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        109⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        110⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        108⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        108⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        109⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        108⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        109⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        106⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        107⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        108⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        106⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        107⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        108⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        106⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        106⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        107⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        106⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        107⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        104⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        105⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        106⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        104⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        105⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        106⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        104⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        104⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        105⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        104⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        105⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        102⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        103⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        104⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        102⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        103⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        104⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        102⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        102⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        103⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        102⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        103⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        100⤵
        
        PID:792
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        101⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        102⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        100⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        101⤵
        
        PID:64
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        102⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        100⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        100⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        101⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        100⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        101⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        98⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        99⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        100⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        98⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        99⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        100⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        98⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        98⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        99⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        98⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        99⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        96⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        97⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        98⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        96⤵
        
        PID:228
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        97⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        98⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        96⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        96⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        97⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        96⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        97⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        94⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        95⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        96⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        94⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        95⤵
        
        PID:792
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        96⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        94⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        94⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        95⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        94⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        95⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        92⤵
        
        PID:864
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        93⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        94⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        92⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        93⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        94⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        92⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        92⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        93⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        92⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        93⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        90⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        91⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        92⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        90⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        91⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        92⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        90⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        90⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        91⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        90⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        91⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        88⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        89⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        90⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        88⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        89⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        90⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        88⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        88⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        89⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        88⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        89⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        86⤵
        
        PID:512
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        87⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        88⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        86⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        87⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        88⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        86⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        86⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        87⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        86⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        87⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        84⤵
        
        PID:4544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        85⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        86⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        84⤵
        
        PID:808
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        85⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        86⤵
        
        PID:984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        84⤵
        
        PID:1184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        85⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        84⤵
        
        PID:228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        85⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        84⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        85⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        82⤵
        
        PID:764
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        83⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        84⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        82⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        83⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        84⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        82⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        83⤵
        Modifies security service
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        82⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        83⤵
        Modifies security service
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        80⤵
        
        PID:3456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:316
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        81⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        82⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        80⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        81⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        82⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        80⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        80⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        81⤵
        Modifies security service
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        80⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        81⤵
        Modifies security service
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        78⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        79⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        80⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        78⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        79⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        80⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        78⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        79⤵
        Modifies security service
        
        PID:1084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        78⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        79⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        76⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        78⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        76⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        78⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        76⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        76⤵
        
        PID:464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        77⤵
        Modifies security service
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        76⤵
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        77⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        74⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        75⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        76⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4016
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        76⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        74⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        74⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        75⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        74⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        75⤵
        Modifies security service
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        72⤵
        
        PID:316
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        73⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        74⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        72⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        73⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        74⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        72⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        73⤵
        Modifies security service
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        72⤵
        
        PID:792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        73⤵
        Modifies security service
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        70⤵
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:696
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        71⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        72⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        70⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        71⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        72⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        70⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        71⤵
        Modifies security service
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        70⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        71⤵
        Modifies security service
        
        PID:1588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        68⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        69⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        70⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        68⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        69⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        70⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        68⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        68⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        69⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        68⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        69⤵
        Modifies security service
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        66⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        67⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        68⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        66⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        67⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        68⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        67⤵
        Modifies security service
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        66⤵
        
        PID:4304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        67⤵
        Modifies security service
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        65⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        66⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        64⤵
        
        PID:528
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        65⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        66⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        64⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        64⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        65⤵
        Modifies security service
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        64⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        65⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        62⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        63⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        64⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        62⤵
        
        PID:408
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        63⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        64⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        62⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        62⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        63⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        63⤵
        Modifies security service
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        60⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        61⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        62⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        60⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        61⤵
        
        PID:864
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        62⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        60⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        60⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        61⤵
        Modifies security service
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        60⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        61⤵
        Modifies security service
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        58⤵
        
        PID:512
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        59⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        60⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        58⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        59⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        60⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        58⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        58⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        59⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        58⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        59⤵
        Modifies security service
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        56⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        57⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        58⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        56⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        57⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        58⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        56⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        56⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        57⤵
        Modifies security service
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        56⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        57⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        54⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        55⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        56⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        54⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        56⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        54⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        54⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        55⤵
        Modifies security service
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        54⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        55⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        53⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        54⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        52⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        53⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        54⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        52⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        52⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        53⤵
        Modifies security service
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        52⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        53⤵
        Modifies security service
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        50⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        51⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        52⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        50⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        51⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        52⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        50⤵
        
        PID:4224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        50⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        51⤵
        Modifies security service
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        50⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        51⤵
        Modifies security service
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        48⤵
        
        PID:1492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        49⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        49⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        50⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        48⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        49⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        48⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        49⤵
        Modifies security service
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        46⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        47⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        48⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        46⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        47⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        48⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        46⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        46⤵
        
        PID:952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        47⤵
        Modifies security service
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        46⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        47⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        44⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        45⤵
        
        PID:232
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        46⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        44⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        45⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        46⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        44⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        44⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        45⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        44⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        45⤵
        Modifies security service
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        42⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        43⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        42⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        43⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        44⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        42⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        42⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        43⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        42⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        43⤵
        Modifies security service
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        40⤵
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        41⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        42⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        40⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        41⤵
        
        PID:792
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        42⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        40⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        40⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        41⤵
        Modifies security service
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        40⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        41⤵
        Modifies security service
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        39⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        40⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        38⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        39⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        40⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        38⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        39⤵
        Modifies security service
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        38⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        39⤵
        Modifies security service
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        36⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        37⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        38⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        36⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        37⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        38⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        36⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        36⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        37⤵
        Modifies security service
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        36⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        37⤵
        Modifies security service
        
        PID:1228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        36⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        34⤵
        
        PID:528
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        35⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        36⤵
        
        PID:628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        34⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        34⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        35⤵
        Modifies security service
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        34⤵
        
        PID:408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        32⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        33⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        34⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        33⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        34⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        32⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        33⤵
        Modifies security service
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        32⤵
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        33⤵
        Modifies security service
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        31⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        31⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        32⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        30⤵
        
        PID:4920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        30⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        31⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        30⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        31⤵
        Modifies security service
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        28⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        29⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        30⤵
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        28⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        29⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        30⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        28⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        28⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        29⤵
        Modifies security service
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        29⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        26⤵
        
        PID:792
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        27⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        28⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        26⤵
        
        PID:628
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        27⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        28⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        26⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        26⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        27⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        26⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        27⤵
        Modifies security service
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        24⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        25⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        26⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        24⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        25⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        24⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        24⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        25⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        24⤵
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        25⤵
        Modifies security service
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        22⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        23⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        22⤵
        
        PID:696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        23⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        24⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        22⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        22⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        23⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        20⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        21⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        22⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        20⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        21⤵
        
        PID:464
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        20⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        20⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        21⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        20⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        21⤵
        Modifies security service
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        18⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        19⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        18⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        19⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        18⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        18⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        19⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        18⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        19⤵
        Modifies security service
        
        PID:4212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        16⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        18⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        16⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        17⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        18⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        16⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        16⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        17⤵
        Modifies security service
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        16⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        17⤵
        Modifies security service
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        14⤵
        
        PID:960
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        15⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        14⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        16⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        14⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        14⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        15⤵
        Modifies security service
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        14⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        15⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        12⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        13⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        12⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        13⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        12⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        12⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        13⤵
        Modifies security service
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        12⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        13⤵
        Modifies security service
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        10⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        11⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        10⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        11⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        12⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        10⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        11⤵
        Modifies security service
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        10⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        11⤵
        Modifies security service
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        8⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        9⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        10⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        8⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        9⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        10⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        8⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        8⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        9⤵
        Modifies security service
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        8⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        9⤵
        Modifies security service
        
        PID:3616
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop "Security Center"
        6⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        7⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        8⤵
        
        PID:1032
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c net stop SharedAccess
        6⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        7⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        8⤵
        
        PID:3640
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        7⤵
        Modifies security service
        
        PID:1544
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        7⤵
        
        PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop "Security Center"
      4⤵
      PID:3200
    - - C:\Windows\SysWOW64\net.exe
        
        net stop "Security Center"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Security Center"
        6⤵
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop SharedAccess
      4⤵
      PID:544
    - - C:\Windows\SysWOW64\net.exe
        
        net stop SharedAccess
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SharedAccess
        6⤵
        
        PID:2444
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
      4⤵
      PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
      4⤵
      PID:2264
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
        5⤵
        Modifies security service
        System Location Discovery: System Language Discovery
        
        PID:3660
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
      4⤵
      PID:3304
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
        5⤵
        Modifies security service
        
        PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\net.exe
    net stop "Security Center"
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:3280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:1020
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  PID:448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  PID:4576
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
    3⤵
    - Modifies security service
    PID:4264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
    3⤵
    - Modifies security service
    PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vggecxi.exe

Filesize
484KB

MD5
d90a33ac1d1845428baec0765efe1796

SHA1
41d4d07095aee2ffe20497a4d1621f764a33ee73

SHA256
ad4cc7d0639d95613f2c3a7b26c644e4bcbd5c4d9325a1dd48b7280124923a7a

SHA512
f98d8ce2efa86f41e6eec39cae9f95064f5e154cc03543960236f77407146e0e35470cdbf9e4bd503fd8ca8ededb4468ee3b06eeeed858e846d96dd0cc3c0d2a

Download Submit
memory/892-4-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/892-5-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/892-2-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/892-19-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1540-39-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1676-162-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1744-66-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2260-147-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2740-138-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2760-54-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2768-90-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/3620-77-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/4028-114-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/4044-27-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/4156-123-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/4724-102-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/4728-187-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/4888-174-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads