asyncrat | 9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236

Analysis

max time kernel
19s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2025, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
Size

1018KB
MD5

eceb6e1e8aa84e6501589dc1d3deb419
SHA1

467a412530d7af26b01ec278d7d325e4b6dd047a
SHA256

9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236
SHA512

be256564941a092d73b6931dfa0a238b17d68c69e1742b98844e43fa3010db83bf9d52922912e127cd9b6cd1bbf9ecd39c4a36c2da676ca060bf21ffef8b27bf
SSDEEP

24576:pji1+TKiRzC0NqgGApfkxIpePcvkTR8cvkTAU:pu1+miRnQjALpe0vkTNvkTN

Score

10^/10

asyncrat darkcomet nanocore default guest16 defense_evasion discovery execution keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

jvjv2044duck33.duckdns.org:8808

Mutex

0fC8zJGwBBNm

Attributes

delay
3
install
true
install_file
csrss.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Guest16

jvjv2044duck33.duckdns.org:1604

Mutex

DC_MUTEX-CK7UE3N

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Jp74nsvbhc4i
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	VLC1.EXE

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000024273-100.dat	family_asyncrat

Disables Task Manager via registry modification
defense_evasion

Sets file to hidden 1 TTPs 5 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2896	attrib.exe
4596	attrib.exe
3604	attrib.exe
1184	attrib.exe
4884	attrib.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	LEGIT_SOFTWARE2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WINDOWS DEFENDER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	LEGIT_SOFTWARE1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	FILE5.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Rundll32.exe

Executes dropped EXE 64 IoCs

pid	Process
1592	FILE5.EXE
8	JOKE.EXE
4804	ULTIME MULTIHACK REBORN.EXE
4580	JOKE2.EXE
4660	LEGIT_SOFTWARE1.EXE
4740	LEGIT_SOFTWARE2.EXE
4844	VLC1.EXE
4992	SENDE2R.EXE
2800	WINDOWS DEFENDER.EXE
5976	WINDOWS SECURITY NANO.EXE
2496	Rundll32.exe
3088	Rundll32.exe
5164	msdcsc.exe
2100	Rundll32.exe
2912	msdcsc.exe
1000	Rundll32.exe
1784	msdcsc.exe
3188	Rundll32.exe
5708	Rundll32.exe
5780	Rundll32.exe
5464	Rundll32.exe
5664	Rundll32.exe
4400	Rundll32.exe
2392	Rundll32.exe
3824	Rundll32.exe
3204	Rundll32.exe
5284	Rundll32.exe
2232	Rundll32.exe
5664	Rundll32.exe
828	Rundll32.exe
5552	Rundll32.exe
4384	Rundll32.exe
2676	Rundll32.exe
2392	Rundll32.exe
4516	Rundll32.exe
5328	Rundll32.exe
1652	Rundll32.exe
4300	Rundll32.exe
2716	Rundll32.exe
5460	Rundll32.exe
5508	Rundll32.exe
5404	Rundll32.exe
3748	Rundll32.exe
3228	Rundll32.exe
5912	Rundll32.exe
4788	Rundll32.exe
3876	Rundll32.exe
1796	csrss.exe
912	Rundll32.exe
3152	Rundll32.exe
2444	Rundll32.exe
1624	Rundll32.exe
660	Rundll32.exe
2852	Rundll32.exe
1800	Rundll32.exe
3908	Rundll32.exe
5528	Rundll32.exe
3812	Rundll32.exe
1524	Rundll32.exe
4496	Rundll32.exe
3700	Rundll32.exe
5228	msdcsc.exe
5052	Rundll32.exe
5284	Rundll32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FindMe = "C:\\Windows\\Temp\\svchost_533423.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FindMe = "C:\\Users\\Public\\Documents\\winservice_533423.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	VLC1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNS Manager = "C:\\Program Files (x86)\\DNS Manager\\dnsmgr.exe"	WINDOWS SECURITY NANO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WINDOWS SECURITY NANO.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\Rundll32.exe	SENDE2R.EXE

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0002000000022b76-84.dat	upx
behavioral1/memory/4844-96-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5164-214-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2912-225-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2912-250-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/4844-279-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1784-283-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1784-292-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5164-332-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5164-465-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5228-477-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/5228-481-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DNS Manager\dnsmgr.exe	WINDOWS SECURITY NANO.EXE
File opened for modification	C:\Program Files (x86)\DNS Manager\dnsmgr.exe	WINDOWS SECURITY NANO.EXE
File created	C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE	FILE5.EXE
File created	C:\Program Files (x86)\VLC1.EXE	FILE5.EXE
File created	C:\Program Files (x86)\WINDOWS DEFENDER.EXE	FILE5.EXE
File created	C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE	FILE5.EXE

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5740	powershell.exe
1076	powershell.exe
1728	powershell.exe
5636	powershell.exe
2472	powershell.exe
5724	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWS SECURITY NANO.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FILE5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINDOWS DEFENDER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LEGIT_SOFTWARE2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SENDE2R.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOKE2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Delays execution with timeout.exe 10 IoCs

defense_evasion

pid	Process
3220	timeout.exe
5704	timeout.exe
4956	timeout.exe
1208	timeout.exe
3676	timeout.exe
2404	timeout.exe
4996	timeout.exe
436	timeout.exe
5392	timeout.exe
2940	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	VLC1.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
828	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5976	WINDOWS SECURITY NANO.EXE
5976	WINDOWS SECURITY NANO.EXE
5976	WINDOWS SECURITY NANO.EXE
5976	WINDOWS SECURITY NANO.EXE
1076	powershell.exe
1076	powershell.exe
1728	powershell.exe
1728	powershell.exe
5740	powershell.exe
5740	powershell.exe
5636	powershell.exe
5636	powershell.exe
2472	powershell.exe
2472	powershell.exe
5976	WINDOWS SECURITY NANO.EXE
5976	WINDOWS SECURITY NANO.EXE
5976	WINDOWS SECURITY NANO.EXE
5976	WINDOWS SECURITY NANO.EXE
4804	ULTIME MULTIHACK REBORN.EXE
4804	ULTIME MULTIHACK REBORN.EXE
1076	powershell.exe
5724	powershell.exe
5724	powershell.exe
4804	ULTIME MULTIHACK REBORN.EXE
5740	powershell.exe
4804	ULTIME MULTIHACK REBORN.EXE
1728	powershell.exe
5636	powershell.exe
4804	ULTIME MULTIHACK REBORN.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
2800	WINDOWS DEFENDER.EXE
4804	ULTIME MULTIHACK REBORN.EXE
4804	ULTIME MULTIHACK REBORN.EXE
5976	WINDOWS SECURITY NANO.EXE
5976	WINDOWS SECURITY NANO.EXE
5976	WINDOWS SECURITY NANO.EXE
5976	WINDOWS SECURITY NANO.EXE
4804	ULTIME MULTIHACK REBORN.EXE
4804	ULTIME MULTIHACK REBORN.EXE
4804	ULTIME MULTIHACK REBORN.EXE
4804	ULTIME MULTIHACK REBORN.EXE
2472	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5976	WINDOWS SECURITY NANO.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4844	VLC1.EXE
Token: SeSecurityPrivilege	4844	VLC1.EXE
Token: SeTakeOwnershipPrivilege	4844	VLC1.EXE
Token: SeLoadDriverPrivilege	4844	VLC1.EXE
Token: SeSystemProfilePrivilege	4844	VLC1.EXE
Token: SeSystemtimePrivilege	4844	VLC1.EXE
Token: SeProfSingleProcessPrivilege	4844	VLC1.EXE
Token: SeIncBasePriorityPrivilege	4844	VLC1.EXE
Token: SeCreatePagefilePrivilege	4844	VLC1.EXE
Token: SeBackupPrivilege	4844	VLC1.EXE
Token: SeRestorePrivilege	4844	VLC1.EXE
Token: SeShutdownPrivilege	4844	VLC1.EXE
Token: SeDebugPrivilege	4844	VLC1.EXE
Token: SeSystemEnvironmentPrivilege	4844	VLC1.EXE
Token: SeChangeNotifyPrivilege	4844	VLC1.EXE
Token: SeRemoteShutdownPrivilege	4844	VLC1.EXE
Token: SeUndockPrivilege	4844	VLC1.EXE
Token: SeManageVolumePrivilege	4844	VLC1.EXE
Token: SeImpersonatePrivilege	4844	VLC1.EXE
Token: SeCreateGlobalPrivilege	4844	VLC1.EXE
Token: 33	4844	VLC1.EXE
Token: 34	4844	VLC1.EXE
Token: 35	4844	VLC1.EXE
Token: 36	4844	VLC1.EXE
Token: SeDebugPrivilege	5976	WINDOWS SECURITY NANO.EXE
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeIncreaseQuotaPrivilege	5164	msdcsc.exe
Token: SeSecurityPrivilege	5164	msdcsc.exe
Token: SeTakeOwnershipPrivilege	5164	msdcsc.exe
Token: SeLoadDriverPrivilege	5164	msdcsc.exe
Token: SeSystemProfilePrivilege	5164	msdcsc.exe
Token: SeSystemtimePrivilege	5164	msdcsc.exe
Token: SeProfSingleProcessPrivilege	5164	msdcsc.exe
Token: SeIncBasePriorityPrivilege	5164	msdcsc.exe
Token: SeCreatePagefilePrivilege	5164	msdcsc.exe
Token: SeBackupPrivilege	5164	msdcsc.exe
Token: SeRestorePrivilege	5164	msdcsc.exe
Token: SeShutdownPrivilege	5164	msdcsc.exe
Token: SeDebugPrivilege	5164	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	5164	msdcsc.exe
Token: SeChangeNotifyPrivilege	5164	msdcsc.exe
Token: SeRemoteShutdownPrivilege	5164	msdcsc.exe
Token: SeUndockPrivilege	5164	msdcsc.exe
Token: SeManageVolumePrivilege	5164	msdcsc.exe
Token: SeImpersonatePrivilege	5164	msdcsc.exe
Token: SeCreateGlobalPrivilege	5164	msdcsc.exe
Token: 33	5164	msdcsc.exe
Token: 34	5164	msdcsc.exe
Token: 35	5164	msdcsc.exe
Token: 36	5164	msdcsc.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	5740	powershell.exe
Token: SeDebugPrivilege	5636	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeIncreaseQuotaPrivilege	2912	msdcsc.exe
Token: SeSecurityPrivilege	2912	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2912	msdcsc.exe
Token: SeLoadDriverPrivilege	2912	msdcsc.exe
Token: SeSystemProfilePrivilege	2912	msdcsc.exe
Token: SeSystemtimePrivilege	2912	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2912	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2912	msdcsc.exe
Token: SeCreatePagefilePrivilege	2912	msdcsc.exe
Token: SeBackupPrivilege	2912	msdcsc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
8	JOKE.EXE
4580	JOKE2.EXE
5164	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5948 wrote to memory of 2960	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	87
PID 5948 wrote to memory of 2960	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	87
PID 5948 wrote to memory of 2960	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	87
PID 5948 wrote to memory of 1592	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	88
PID 5948 wrote to memory of 1592	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	88
PID 5948 wrote to memory of 1592	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	88
PID 5948 wrote to memory of 744	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	89
PID 5948 wrote to memory of 744	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	89
PID 5948 wrote to memory of 744	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	89
PID 5948 wrote to memory of 5864	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	90
PID 5948 wrote to memory of 5864	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	90
PID 5948 wrote to memory of 5864	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	90
PID 5948 wrote to memory of 8	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	91
PID 5948 wrote to memory of 8	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	91
PID 5948 wrote to memory of 8	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	91
PID 5948 wrote to memory of 4580	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	92
PID 5948 wrote to memory of 4580	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	92
PID 5948 wrote to memory of 4580	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	92
PID 1592 wrote to memory of 4804	1592	FILE5.EXE	93
PID 1592 wrote to memory of 4804	1592	FILE5.EXE	93
PID 1592 wrote to memory of 4804	1592	FILE5.EXE	93
PID 5948 wrote to memory of 4660	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	94
PID 5948 wrote to memory of 4660	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	94
PID 5948 wrote to memory of 4660	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	94
PID 5948 wrote to memory of 4740	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	95
PID 5948 wrote to memory of 4740	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	95
PID 5948 wrote to memory of 4740	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	95
PID 2960 wrote to memory of 4756	2960	WScript.exe	96
PID 2960 wrote to memory of 4756	2960	WScript.exe	96
PID 2960 wrote to memory of 4756	2960	WScript.exe	96
PID 1592 wrote to memory of 4844	1592	FILE5.EXE	97
PID 1592 wrote to memory of 4844	1592	FILE5.EXE	97
PID 1592 wrote to memory of 4844	1592	FILE5.EXE	97
PID 5948 wrote to memory of 972	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	98
PID 5948 wrote to memory of 972	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	98
PID 5948 wrote to memory of 972	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	98
PID 5948 wrote to memory of 4992	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	100
PID 5948 wrote to memory of 4992	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	100
PID 5948 wrote to memory of 4992	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	100
PID 1592 wrote to memory of 2800	1592	FILE5.EXE	101
PID 1592 wrote to memory of 2800	1592	FILE5.EXE	101
PID 1592 wrote to memory of 2800	1592	FILE5.EXE	101
PID 744 wrote to memory of 5312	744	WScript.exe	102
PID 744 wrote to memory of 5312	744	WScript.exe	102
PID 744 wrote to memory of 5312	744	WScript.exe	102
PID 5864 wrote to memory of 6100	5864	WScript.exe	104
PID 5864 wrote to memory of 6100	5864	WScript.exe	104
PID 5864 wrote to memory of 6100	5864	WScript.exe	104
PID 1592 wrote to memory of 5976	1592	FILE5.EXE	106
PID 1592 wrote to memory of 5976	1592	FILE5.EXE	106
PID 1592 wrote to memory of 5976	1592	FILE5.EXE	106
PID 5948 wrote to memory of 2952	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	111
PID 5948 wrote to memory of 2952	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	111
PID 5948 wrote to memory of 2952	5948	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	111
PID 744 wrote to memory of 5740	744	WScript.exe	114
PID 744 wrote to memory of 5740	744	WScript.exe	114
PID 744 wrote to memory of 5740	744	WScript.exe	114
PID 4660 wrote to memory of 2176	4660	LEGIT_SOFTWARE1.EXE	115
PID 4660 wrote to memory of 2176	4660	LEGIT_SOFTWARE1.EXE	115
PID 744 wrote to memory of 1076	744	WScript.exe	118
PID 744 wrote to memory of 1076	744	WScript.exe	118
PID 744 wrote to memory of 1076	744	WScript.exe	118
PID 4844 wrote to memory of 864	4844	VLC1.EXE	119
PID 4844 wrote to memory of 864	4844	VLC1.EXE	119

Views/modifies file attributes 1 TTPs 5 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4596	attrib.exe
3604	attrib.exe
1184	attrib.exe
4884	attrib.exe
2896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
"C:\Users\Admin\AppData\Local\Temp\9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EXECUTION.JS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5232
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5340
- C:\Users\Admin\AppData\Local\Temp\FILE5.EXE
  "C:\Users\Admin\AppData\Local\Temp\FILE5.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE
    "C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4804
- - C:\Program Files (x86)\VLC1.EXE
    "C:\Program Files (x86)\VLC1.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Program Files (x86)\VLC1.EXE" +s +h
      4⤵
      PID:864
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Program Files (x86)\VLC1.EXE" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Program Files (x86)" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      PID:264
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Program Files (x86)" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3604
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:5340
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2912
- - C:\Program Files (x86)\WINDOWS DEFENDER.EXE
    "C:\Program Files (x86)\WINDOWS DEFENDER.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:5516
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6002.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:5068
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1208
    - - C:\Users\Admin\AppData\Roaming\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\csrss.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1796
- - C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE
    "C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:5976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FINDM10E.VBS"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +s +h C:\Windows\Temp\svchost_533423.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5312
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Windows\Temp\svchost_533423.exe
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Service WinDefend -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name taskmgr.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name cmd.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name regedit.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name procexp.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name processhacker.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /deletevalue {current} safeboot
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power /v HiberbootEnabled /t REG_DWORD /d 0 /f
    3⤵
    PID:4964
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power /v HiberbootEnabled /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cipher /e /s:C:\Windows\Temp\
    3⤵
    PID:3996
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e /s:C:\Windows\Temp\
      4⤵
      PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +s +h C:\Users\Admin\AppData\Local\findme_579518.exe
    3⤵
    PID:6024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Users\Admin\AppData\Local\findme_579518.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\findme_579518.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INSTALLE10R.VBS"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +s +h C:\Users\Public\Documents\winservice_533423.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6100
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Users\Public\Documents\winservice_533423.exe
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2896
- C:\Users\Admin\AppData\Local\Temp\JOKE.EXE
  "C:\Users\Admin\AppData\Local\Temp\JOKE.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:8
- C:\Users\Admin\AppData\Local\Temp\JOKE2.EXE
  "C:\Users\Admin\AppData\Local\Temp\JOKE2.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4580
- C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE
  "C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4863.tmp\4864.tmp\4865.bat C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:2176
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msgbx.vbs"
      4⤵
      PID:5704
  - - C:\Windows\system32\net.exe
      net stop "WSearch"
      4⤵
      PID:3004
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WSearch"
        5⤵
        
        PID:4748
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "START PAGE" /d "https://watchfurry4k.com"
      4⤵
      Modifies Internet Explorer settings
      PID:1604
- C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE
  "C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4740
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4864.tmp\4864.tmp\4865.bat C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE"
    3⤵
    PID:756
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:436
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4956
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3676
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5392
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2940
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2404
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4996
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3220
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LOL.VBS"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sys32.hta \\IDKMAN\C$\Users\Public\sys32.hta
    3⤵
    PID:5180
- C:\Users\Admin\AppData\Local\Temp\SENDE2R.EXE
  "C:\Users\Admin\AppData\Local\Temp\SENDE2R.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4992
- - C:\Windows\SysWOW64\config\Rundll32.exe
    "C:\Windows\system32\config\Rundll32.exe"
    3⤵
    - Executes dropped EXE
    PID:2496
  - - C:\Windows\SysWOW64\config\Rundll32.exe
      "C:\Windows\system32\config\Rundll32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3088
    - - C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        5⤵
        Executes dropped EXE
        
        PID:2100
      - C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        12⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5552
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        26⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5508
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        40⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:660
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2852
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5528
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        52⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        54⤵
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        55⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        56⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5684
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        57⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        58⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        59⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        60⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        61⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5596
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        62⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        63⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        64⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        65⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        68⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        69⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        70⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        72⤵
        Checks computer location settings
        
        PID:3228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:512
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        76⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        78⤵
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        79⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        80⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        82⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        85⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        87⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        91⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        92⤵
        Checks computer location settings
        
        PID:2968
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        94⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        96⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        97⤵
        
        PID:912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        98⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        99⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        100⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        101⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        102⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        103⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        104⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        105⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        106⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        107⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        108⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        109⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        110⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        111⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        112⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        113⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        114⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        115⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        116⤵
        
        PID:436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        117⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        118⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        119⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        120⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        121⤵
        
        PID:972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        122⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        123⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        124⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        125⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        126⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        127⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        128⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        129⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        130⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        131⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        132⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        133⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        134⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        135⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        136⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        137⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        138⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        139⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        140⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        141⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        142⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        143⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        144⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        145⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        146⤵
        
        PID:832
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        147⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        148⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        149⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        150⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        151⤵
        
        PID:112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        152⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        153⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        154⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        155⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        156⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        157⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        158⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        159⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        160⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        161⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        162⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        163⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        164⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        165⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        166⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        167⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        168⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        169⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        170⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        171⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        172⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        173⤵
        
        PID:916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        174⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        175⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        176⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        177⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        178⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        179⤵
        
        PID:744
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        180⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        181⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        182⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        183⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        184⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        185⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        186⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        187⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        188⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        189⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        190⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        191⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        192⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        193⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        194⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        195⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        196⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        197⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        198⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        199⤵
        
        PID:700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        200⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        201⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        202⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        203⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        204⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        205⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        206⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        207⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        208⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        209⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        210⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        211⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        212⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        213⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        214⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        215⤵
        
        PID:436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        216⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        217⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        218⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        219⤵
        
        PID:700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        220⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        221⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        222⤵
        
        PID:868
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        223⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        224⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        225⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        226⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        227⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        228⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        229⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        230⤵
        
        PID:376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        231⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        232⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        233⤵
        
        PID:228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        234⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        235⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        236⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        237⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        238⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        239⤵
        
        PID:908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        240⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        241⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        242⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        243⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        244⤵
        
        PID:396
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        245⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        246⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        247⤵
        
        PID:768
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        248⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        249⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        250⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        251⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        252⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        253⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        254⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        255⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        256⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        257⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        258⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        259⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        260⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        261⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        262⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        263⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        264⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        265⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        266⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        267⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        268⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        269⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        270⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        271⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        272⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        273⤵
        
        PID:376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        274⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        275⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        276⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        277⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        278⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        279⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        280⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        281⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        282⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        283⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        284⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        285⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        286⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        287⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        288⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        289⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        290⤵
        
        PID:768
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        291⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        292⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        293⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        294⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        295⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        296⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        297⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        298⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        299⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        300⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        301⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        302⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        303⤵
        
        PID:908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        304⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        305⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        306⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        307⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        308⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        309⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        310⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        311⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        312⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        313⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        314⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        315⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        316⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        317⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        318⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        319⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        320⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        321⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        322⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        323⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        324⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        325⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        326⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        327⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        328⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        329⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        330⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        331⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        332⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        333⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        334⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        335⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        336⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        337⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        338⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        339⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        340⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        341⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        342⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        343⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        344⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        345⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        346⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        347⤵
        
        PID:700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        348⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        349⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        350⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        351⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        352⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        353⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        354⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        355⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        356⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        357⤵
        
        PID:916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        358⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        359⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        360⤵
        
        PID:228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        361⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        362⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        363⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        364⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        365⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        366⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        367⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        368⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        369⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        370⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        371⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        372⤵
        
        PID:972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        373⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        374⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        375⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        376⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        377⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        378⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        379⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        380⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        381⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        382⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        383⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        384⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        385⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        386⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        387⤵
        
        PID:944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        388⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        389⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        390⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        391⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        392⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        393⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        394⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        395⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        396⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        397⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        398⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        399⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        400⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        401⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        402⤵
        
        PID:436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        403⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        404⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        405⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        406⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        407⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        408⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        409⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        410⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        411⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        412⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        413⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        414⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        415⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        416⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        417⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        418⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        419⤵
        
        PID:764
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        420⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        421⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        422⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        423⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        424⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        425⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        426⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        427⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        428⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        429⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        430⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        431⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        432⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        433⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        434⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        435⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        436⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        437⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        438⤵
        
        PID:2160
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\WINLOGON.HTA" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wmic process call create 'notepad && mshta C:\Users\Admin\AppData\Roaming\winlog.hta'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3608
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process call create 'notepad
      4⤵
      PID:3888
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Roaming\winlog.hta'
      4⤵
      PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Temp\svchost_533423.exe
1⤵
PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Documents\winservice_533423.exe
1⤵
PID:5204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5488
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5164
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\DNS Manager\dnsmgr.exe
1⤵
PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4708
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3488
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:5228

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1456
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:3960

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 85Rs47PHi0KX4UXKkqyqvg.0.2
1⤵
PID:5552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5744
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3212
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:112
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:5872

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE

Filesize
86KB

MD5
0739a4b039910c9ecc48661e25279e6e

SHA1
02bf3b0265850bc13e85ac9bb421b88b6babbcaf

SHA256
9df65940d3f2230b276e9ee989f15a94855e07cf2aa04210353f7a9e9a62db4a

SHA512
e8a8876f4cfc2657e2b355b288fb8386e40131aeacc18aba1036ea5e60cf9a571f8da4ead987751db16fba5054d50b3dac9c399e5dff38fc64bf22c4fb3cb92f

Download Submit
C:\Program Files (x86)\VLC1.EXE

Filesize
251KB

MD5
3a0071fc42e1305afa1bc5d3d8233068

SHA1
711402cabd474d742d31509f17b26493683d61d3

SHA256
d41679ada9aabdfd4a55f25a5721d6a5dfbdee53afcf0d1cf319276e28941afa

SHA512
1a0b0bd341fe097f924517e8848d4012a93286402d79cdd67cf2cfc3225bd3785f81d329348ae1e0afc308ea98790dc89872f41cf3e9843a9481512832a403d8

Download Submit
C:\Program Files (x86)\WINDOWS DEFENDER.EXE

Filesize
47KB

MD5
96da127f30d555f809b5a781eeadb5d4

SHA1
6742daf92406b52d5b98fcf3c8b96aca2f691404

SHA256
f2e3e68a10f9f07b031e2fd3d7d73553ee4639a5e1c2a0775ac0a2ddbeff5e53

SHA512
2c7f2d0bfb65e532f1c1068a93f92c2cd17682de70d8ee84cab47d3b3e80f87d97d16e0d41dee027f3381e5abe9d19f8b2604da7769d36243695be1d79b3be52

Download Submit
C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE

Filesize
209KB

MD5
172214b69dfbf053c83ff8e6b70842bc

SHA1
02e321757925f21b18c96d2e23d6e9a755df59ab

SHA256
da01598ba05a9467fa7cf76d9d212df75886eeeea30a633654dcdf29d8be90d9

SHA512
6b02e7dffd64a8cc7b83e7dcbfbd8d4dfb99f7cc13d5056ffb00efb51f7cf0431bb270b8afa394dbeb4e7b3558261c0ea6bd3a542bd82afd9fbc9c5227f83a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
fc599921531120ee4da69df062c56eb0

SHA1
af17e966932dea0738fa20ee797c425e27f586a9

SHA256
4a7e39b5764c56ced7bc100052a5c91efb5b8e6508555d04a4e1a180ec33a778

SHA512
b9b5ecb00dd7add3375f88f1ae57c7921be76699e9be331c8986331c0a91a404b7d037893d00233eb163db6f7c1b2fbc479f73c6f2eb04a2a8b798ebe4aaa458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
7bb001f0006c143ebf64c1275ecbd120

SHA1
37e69798e7a7e02c2f9973f7e1baf1875cd87842

SHA256
e9659e79442ea355f6926fd1acbcc686856582f9133918b6ffe5ff4e5b17e5b5

SHA512
79578e12c8cec7e50dd771d6b4032c4112e0bc382cb5c7e0a2b37ade64b0d21aa33c4e5cd0aa782dfe63fd5439796b4f6c9f79ebd9cac6bd6b3b2ef9bf7b0ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
5f7cc3ef192a2f3e13fa192025ea0f89

SHA1
698f214c18785debb04b21d6ea0a2308334937cf

SHA256
86bb924363d7518f2b266cf31034352e41c1fa912b6cb16f2de3103cc0672908

SHA512
08ad26f97976321ffa9f672e15445d81dd66402ce24735c099ffa2a66f1467fe5101bf626c55e24df2eb2f93e1ca29d5248f1029b33744cd7f493531a86a7d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
b3d74ce02e772a69fb7a067685f44462

SHA1
0834c3af5ba8d8f11bddb0e2266ca84832d78545

SHA256
5b061a30fb435985ad93aa1efcd4b634648a8f6d1edfef160cdd89c4a8341d8a

SHA512
6db88ac018d38a1c7139bcbfd73a5338576657e11de3532c2c0fa7ed150afecf169f87632e60a4fb8719116987644bdeeed0ce598dd44f7a50b7ea7c4a8867e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
b50f02c6ee56ecd8641c90f0d40cbb29

SHA1
0020793ab9179d55759b8941a456d9a372cdeddf

SHA256
f4d00f8bfb482f35cf544c714d118ee14fe7c1de376e087515df29926850fbe2

SHA512
06c82c1efc31de01253dd18cbe78a58a44f5b9e27a46e4a06d851c1e574aa8f80a9e91c9d53ffcf6952aa95a0d128487f8b79437725994ad73e7764eea9e3481

Download Submit
C:\Users\Admin\AppData\Local\Temp\4863.tmp\4864.tmp\4865.bat

Filesize
419B

MD5
58ff629a82464e0c19c1f13d0401d33c

SHA1
1e5af92e0f93b8066c5868651ae15f933d1d034b

SHA256
fe063155a0afbde316ee82cd32769afcb3cda55c599d9e12097f0cfd5916acf6

SHA512
e9a66f113b4ca7839a4b043dd22e558df9f0acd66b0647067734a776cd64b30511f2e2c2000ee20a3d0c92830790b0d96d068ee794e93c24d9aa16e64dbfa972

Download Submit
C:\Users\Admin\AppData\Local\Temp\4864.tmp\4864.tmp\4865.bat

Filesize
288B

MD5
d6b8c97601f8219f4ce731a4a654f88d

SHA1
c327ca9e28729682cf1851b4e8299487575f7447

SHA256
0aa19971942d5fa91dae0e40ed000fc7dacdcb90c6f2254cc6f007c35514ef56

SHA512
2ef3b2c910aa47c16f0d72374733ee4b1991a9dc86558e43fb034a24c5723107c9cecc131b397d1c5abecfbaa60c56f63d30119c05f20e78fa189edabea26b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXECUTION.JS

Filesize
667B

MD5
d0ef78b5be1f57ed5d18e57dd6bd6d31

SHA1
060c48d3e88ff7c94a6ee97189670805aa041303

SHA256
fd819d9467aba2d315be6051ebe84b2d6e72571f1174ca7c49763303e065a1fa

SHA512
3637db6b558f5e680a4796f79da983c1849e248f4f62209566b9c59189f3cf41c420c8aa5f4d845c96acd00bccbc029489ec832b7479472b4d123b5ae61e009f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FILE5.EXE

Filesize
648KB

MD5
38836c26314605862f3ca3bfe0936b46

SHA1
b68d2a35b2d9f5083e3b2574ec409c6dbb615fd1

SHA256
3e151c518a16e949c618995aa6e38f509ff95f4fcc0f2a84a13a64f310e34e1b

SHA512
dc0aecfe210fd1169eea3118ca09de6dcb4e53ad6a7aee25580df1b82b224fa551a4c961756fbf0a415ab77aec2a26867cfd16fe0358bb1024da80b9e7bdc67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FINDM10E.VBS

Filesize
2KB

MD5
8ef7859cb44262053840e18037c862bd

SHA1
3215cf7cd1cf3af4fed0f3bdcc569c70fc2b2f73

SHA256
d4e84178fa198e903c717fac251159a053bedb307685e29c047621a22813bd9f

SHA512
6af654daad764a046052d8ca270b4e471cc6c5b2b33b589b8ad25660309f12fa6598dcad686e1ca88f12042976b37b6c30ed40b3084cad5dcf4b124170adab2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLE10R.VBS

Filesize
1KB

MD5
7cc3b626518cf48dbfc1afcc85d95f21

SHA1
e190e0dc8dd587fe2695b199e750be5811d64a6c

SHA256
5d3db0d7702bc6b8ca3f8a644dd354203544e03e50e2745dd4540e95654c6296

SHA512
c161ad60d28196bdb6198581f2173696b3c927422d179c5f30f593c470f94d18377476e8aa5a2ea7a66008e0d14fd49c34a8fb65974b306506c2f57f98aaa02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOKE.EXE

Filesize
55KB

MD5
07bd1ee5d09f280f6bc168f733d0490c

SHA1
0eacf38d54c2a2eb1782dd48b4ec7e61f007ce09

SHA256
fd426902b744a212d28fb869cc209f9d2251cc3f1a18f0508e087edf73bd2aed

SHA512
bf05683c95ca3d3fbd9c7624d045688440fe517f355fb23a60313c41336cb81d98ab77bbd1d11db248426de7eaa52c777efafa2250ebe041a79bade189b252a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOKE2.EXE

Filesize
55KB

MD5
490568d9de15cd9d30736ba8a3083caa

SHA1
54943326186190bd528278521a096b93c9f102cf

SHA256
04496907588a2332a7ba32a00ba9ec7df101e47843a35f226f0612016930748d

SHA512
db997225356b0a69e424829bf6d0868bce997363650d4e59f2fe628d8f19593f16c544ee7ec37c8711201647f842b85b94437f903c655597078d53e40301d702

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE

Filesize
87KB

MD5
3748f4762016f1d005ad74a32e067359

SHA1
d3b0501286a19052bd8559a511dd595064dd0e45

SHA256
8df01525e7581d59e9b74d0b3f4254710bd5188291a1a2ae95273f7cf0fc94ca

SHA512
c9507c510b62f8413afef433dd0c67844caaa473d9fa3e7c467ad6950f314f75f3a1932f981e8408c28befd843847b3f1065ffd94b001233912ece71ae7760d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE

Filesize
87KB

MD5
236afa11abeaa2413b07c5a412c5e64f

SHA1
eea7da7ac3b9c28c5956d5ae36e64160d348db3a

SHA256
83dfdbd502c1ac4c98d373a8e3b1ada82d5e006c82312c86dd8f348ca7b88e4a

SHA512
9dd698ed829317e8483c37967c9b17b23389efe6c68d7dfb28e8d5fa19d1d533d9cd6b396ae2c216b3bb07dc8c928da9dbfab6a937d0a59318357c4fe9e1e49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOL.VBS

Filesize
1KB

MD5
8bb7d55904f0592b12912cd17a6226a2

SHA1
4ef10c2a156f45d3daeeeeeea52c642ac0e7615e

SHA256
b363fbb1413da760fda389fbc481025b725dd281712542c32014bc6273eddac8

SHA512
8f9f6fef4719f07439d34074684bb235cdf0056e62ebbd182dfad75e67029da1903004affc4ef4a6a53307af2c5ab709b026bb43eb0704d0f18a9904c4bfc11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGON.HTA

Filesize
738B

MD5
1c35226c8c701349da6b67b0ffbd14e6

SHA1
0fec4a653a965f49c7f2b8fb3c9e63fe0deabda2

SHA256
dde632014ecc3adbc0be72e8fe86f789910797bada0b8c326dd4662d39408761

SHA512
4e7c483d23fd0f48a8de2cf80354923568ed764b48ebe9700cb81af7ca27759d99ab84d7ec18d61ae5c7183be3be0107deb7737373a2370ea59477b79db768d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vp4bl5mj.aqf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgbx.vbs

Filesize
44B

MD5
020632109d137052c3e1eee7a16b419f

SHA1
3fced3ebe99d8ae61f1564a2cee6b85e9dc810d7

SHA256
df7ca44289b61cd88899441d17d54536818c3409ca3d233444e407c259f43697

SHA512
cb9b43734eb49c4df551c6dafaccdbb7187d223ad54361ff1013383751f67d62d933940fc5af49b474e21422d05efa2ddd42baca2e18cbc97a26b10a42dafffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6002.tmp.bat

Filesize
149B

MD5
df271addcd602762b9e7c2961f256717

SHA1
c99e095caaae348d7bb2000e2830ea22f68f428f

SHA256
bafcae5ba7322c70287a93730af1b3bd082878a31215157e14bb29eeca79643f

SHA512
cb0a4f806ad8d6381f3576cfe92864d1a064ec4dffbd21c992c7f37867ef84a2ccfec216b3a58acb6db3d76c711b932e77c4fd947ef91ddea7001cfa0e9f62e4

Download Submit
C:\Windows\SysWOW64\config\Rundll32.exe

Filesize
24KB

MD5
c3ffaa41bf9c27053522ef7d68388b52

SHA1
d676498dcf952449526e190269f0b42698b523cc

SHA256
c21480e3e7606a3670a2a18a3db1acd429130c08b41e97f319102d00a7b023b9

SHA512
dc076eeb45e8ed4729cf25c7fb7769597a77d6dae5fe1e3c4b92857a1a437483cd374c86c40235b90a9598c6899c613ae23f37b7beb8d8c8d5900f7507e9ea8a

Download Submit
memory/608-489-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/660-459-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/828-501-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/828-415-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/912-451-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1000-290-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1000-248-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1040-497-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1076-326-0x0000000006CC0000-0x0000000006CE2000-memory.dmp

Filesize
136KB

Download
memory/1076-207-0x00000000051B0000-0x00000000051E6000-memory.dmp

Filesize
216KB

Download
memory/1076-323-0x0000000006C10000-0x0000000006CA6000-memory.dmp

Filesize
600KB

Download
memory/1076-325-0x0000000006BA0000-0x0000000006BBA000-memory.dmp

Filesize
104KB

Download
memory/1076-293-0x00000000054E0000-0x00000000054FE000-memory.dmp

Filesize
120KB

Download
memory/1076-294-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/1076-208-0x0000000005890000-0x0000000005EB8000-memory.dmp

Filesize
6.2MB

Download
memory/1212-506-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1524-469-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1524-474-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1624-457-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1652-432-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1728-224-0x00000000054C0000-0x0000000005814000-memory.dmp

Filesize
3.3MB

Download
memory/1728-221-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/1728-220-0x0000000004D10000-0x0000000004D32000-memory.dmp

Filesize
136KB

Download
memory/1728-222-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/1784-283-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1784-292-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1800-462-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1892-495-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2100-247-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2100-218-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2232-409-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2392-425-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2392-383-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2444-455-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2496-206-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2496-152-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-423-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2716-436-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2800-123-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2852-461-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2912-225-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2912-250-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3088-217-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3088-204-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3152-453-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3188-306-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3204-389-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3204-385-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3228-443-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3700-480-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3748-442-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3748-487-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3812-466-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3812-471-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3824-381-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3824-387-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3876-449-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3908-464-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4300-434-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4384-421-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4400-350-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4496-476-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4496-472-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4516-428-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4516-426-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4620-219-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4788-447-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4804-116-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/4804-140-0x0000000005450000-0x00000000054A6000-memory.dmp

Filesize
344KB

Download
memory/4804-124-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/4804-95-0x0000000005180000-0x000000000521C000-memory.dmp

Filesize
624KB

Download
memory/4804-88-0x0000000000900000-0x000000000091C000-memory.dmp

Filesize
112KB

Download
memory/4804-139-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/4844-279-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4844-96-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4960-491-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4992-150-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4992-114-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5052-483-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5164-465-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5164-214-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5164-332-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5228-477-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5228-481-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5268-492-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5284-400-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5284-485-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5328-430-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5340-151-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/5404-440-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5460-438-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5464-324-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5464-335-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5508-439-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5528-468-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5552-418-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5596-504-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5596-502-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5664-341-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5664-412-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5664-333-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5684-494-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5708-316-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5780-322-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5856-499-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5912-445-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download