asyncrat | 9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236

Analysis

max time kernel
15s
max time network
60s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
21/04/2025, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
Size

1018KB
MD5

eceb6e1e8aa84e6501589dc1d3deb419
SHA1

467a412530d7af26b01ec278d7d325e4b6dd047a
SHA256

9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236
SHA512

be256564941a092d73b6931dfa0a238b17d68c69e1742b98844e43fa3010db83bf9d52922912e127cd9b6cd1bbf9ecd39c4a36c2da676ca060bf21ffef8b27bf
SSDEEP

24576:pji1+TKiRzC0NqgGApfkxIpePcvkTR8cvkTAU:pu1+miRnQjALpe0vkTNvkTN

Score

10^/10

asyncrat darkcomet nanocore default guest16 defense_evasion discovery execution keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

jvjv2044duck33.duckdns.org:54984

Mutex

2fda0c27-65af-4514-b648-0066e7bbf615

Attributes

activate_away_mode
true
backup_connection_host
jvjv2044duck33.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2025-01-27T20:01:11.197098036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
2fda0c27-65af-4514-b648-0066e7bbf615
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
jvjv2044duck33.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

darkcomet

Botnet

Guest16

jvjv2044duck33.duckdns.org:1604

Mutex

DC_MUTEX-CK7UE3N

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Jp74nsvbhc4i
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

jvjv2044duck33.duckdns.org:8808

Mutex

0fC8zJGwBBNm

Attributes

delay
3
install
true
install_file
csrss.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	VLC1.EXE

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x001900000002b1a8-106.dat	family_asyncrat

Disables Task Manager via registry modification
defense_evasion

Sets file to hidden 1 TTPs 5 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3440	attrib.exe
2164	attrib.exe
244	attrib.exe
4644	attrib.exe
1780	attrib.exe

Executes dropped EXE 64 IoCs

pid	Process
1608	FILE5.EXE
4212	JOKE.EXE
4288	LEGIT_SOFTWARE1.EXE
5296	LEGIT_SOFTWARE2.EXE
5672	JOKE2.EXE
4416	SENDE2R.EXE
4476	ULTIME MULTIHACK REBORN.EXE
2392	VLC1.EXE
5436	WINDOWS DEFENDER.EXE
2156	WINDOWS SECURITY NANO.EXE
4676	Rundll32.exe
1872	Rundll32.exe
5996	msdcsc.exe
6068	Rundll32.exe
2244	msdcsc.exe
1608	Rundll32.exe
1052	msdcsc.exe
2996	Rundll32.exe
708	Rundll32.exe
5448	Rundll32.exe
3636	Rundll32.exe
4568	Rundll32.exe
3108	Rundll32.exe
4188	Rundll32.exe
6044	Rundll32.exe
6104	Rundll32.exe
3360	Rundll32.exe
4396	Rundll32.exe
708	Rundll32.exe
4824	Rundll32.exe
3404	Rundll32.exe
5076	Rundll32.exe
2244	Rundll32.exe
1216	Rundll32.exe
3984	Rundll32.exe
3924	Rundll32.exe
4584	Rundll32.exe
5944	Rundll32.exe
1932	Rundll32.exe
3456	Rundll32.exe
2276	Rundll32.exe
4960	Rundll32.exe
3536	Rundll32.exe
2012	Rundll32.exe
5392	Rundll32.exe
4804	Rundll32.exe
4908	Rundll32.exe
3308	Rundll32.exe
2436	csrss.exe
1384	Rundll32.exe
4436	Rundll32.exe
32	Rundll32.exe
1984	Rundll32.exe
2000	Rundll32.exe
5104	Rundll32.exe
2748	Rundll32.exe
580	Rundll32.exe
1536	Rundll32.exe
5192	Rundll32.exe
3360	Rundll32.exe
2248	Rundll32.exe
4164	Rundll32.exe
3168	Rundll32.exe
5804	msdcsc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\FindMe = "C:\\Windows\\Temp\\svchost_533423.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\FindMe = "C:\\Users\\Public\\Documents\\winservice_533423.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Manager = "C:\\Program Files (x86)\\TCP Manager\\tcpmgr.exe"	WINDOWS SECURITY NANO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	VLC1.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WINDOWS SECURITY NANO.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	SENDE2R.EXE
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\Rundll32.exe	SENDE2R.EXE
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x001900000002b199-102.dat	upx
behavioral2/memory/2392-110-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5996-212-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2244-266-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2244-280-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1052-282-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1052-285-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2392-295-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5996-331-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/5804-468-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WINDOWS DEFENDER.EXE	FILE5.EXE
File created	C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE	FILE5.EXE
File created	C:\Program Files (x86)\TCP Manager\tcpmgr.exe	WINDOWS SECURITY NANO.EXE
File opened for modification	C:\Program Files (x86)\TCP Manager\tcpmgr.exe	WINDOWS SECURITY NANO.EXE
File opened for modification	C:\Program Files (x86)\VLC1.EXE	attrib.exe
File created	C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE	FILE5.EXE
File created	C:\Program Files (x86)\VLC1.EXE	FILE5.EXE

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6016	powershell.exe
4444	powershell.exe
2008	powershell.exe
1064	powershell.exe
2332	powershell.exe
4276	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SENDE2R.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LEGIT_SOFTWARE1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe

Delays execution with timeout.exe 10 IoCs

defense_evasion

pid	Process
5324	timeout.exe
5124	timeout.exe
5980	timeout.exe
4744	timeout.exe
4824	timeout.exe
4780	timeout.exe
6036	timeout.exe
1820	timeout.exe
3588	timeout.exe
3412	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000_Classes\Local Settings	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	VLC1.EXE
Key created	\REGISTRY\USER\S-1-5-21-1492919288-2219487354-2015056034-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4568	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	WINDOWS SECURITY NANO.EXE
2156	WINDOWS SECURITY NANO.EXE
2156	WINDOWS SECURITY NANO.EXE
2156	WINDOWS SECURITY NANO.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4444	powershell.exe
4444	powershell.exe
4476	ULTIME MULTIHACK REBORN.EXE
2008	powershell.exe
2008	powershell.exe
1064	powershell.exe
1064	powershell.exe
4476	ULTIME MULTIHACK REBORN.EXE
6016	powershell.exe
6016	powershell.exe
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
2156	WINDOWS SECURITY NANO.EXE
2156	WINDOWS SECURITY NANO.EXE
2156	WINDOWS SECURITY NANO.EXE
2156	WINDOWS SECURITY NANO.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4276	powershell.exe
4276	powershell.exe
2332	powershell.exe
2332	powershell.exe
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4444	powershell.exe
4476	ULTIME MULTIHACK REBORN.EXE
6016	powershell.exe
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
2008	powershell.exe
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
1064	powershell.exe
4276	powershell.exe
2332	powershell.exe
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
2156	WINDOWS SECURITY NANO.EXE
2156	WINDOWS SECURITY NANO.EXE
2156	WINDOWS SECURITY NANO.EXE
2156	WINDOWS SECURITY NANO.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
4476	ULTIME MULTIHACK REBORN.EXE
5436	WINDOWS DEFENDER.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2156	WINDOWS SECURITY NANO.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2392	VLC1.EXE
Token: SeSecurityPrivilege	2392	VLC1.EXE
Token: SeTakeOwnershipPrivilege	2392	VLC1.EXE
Token: SeLoadDriverPrivilege	2392	VLC1.EXE
Token: SeSystemProfilePrivilege	2392	VLC1.EXE
Token: SeSystemtimePrivilege	2392	VLC1.EXE
Token: SeProfSingleProcessPrivilege	2392	VLC1.EXE
Token: SeIncBasePriorityPrivilege	2392	VLC1.EXE
Token: SeCreatePagefilePrivilege	2392	VLC1.EXE
Token: SeBackupPrivilege	2392	VLC1.EXE
Token: SeRestorePrivilege	2392	VLC1.EXE
Token: SeShutdownPrivilege	2392	VLC1.EXE
Token: SeDebugPrivilege	2392	VLC1.EXE
Token: SeSystemEnvironmentPrivilege	2392	VLC1.EXE
Token: SeChangeNotifyPrivilege	2392	VLC1.EXE
Token: SeRemoteShutdownPrivilege	2392	VLC1.EXE
Token: SeUndockPrivilege	2392	VLC1.EXE
Token: SeManageVolumePrivilege	2392	VLC1.EXE
Token: SeImpersonatePrivilege	2392	VLC1.EXE
Token: SeCreateGlobalPrivilege	2392	VLC1.EXE
Token: 33	2392	VLC1.EXE
Token: 34	2392	VLC1.EXE
Token: 35	2392	VLC1.EXE
Token: 36	2392	VLC1.EXE
Token: SeDebugPrivilege	2156	WINDOWS SECURITY NANO.EXE
Token: SeDebugPrivilege	6016	powershell.exe
Token: SeDebugPrivilege	4476	ULTIME MULTIHACK REBORN.EXE
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeIncreaseQuotaPrivilege	5996	msdcsc.exe
Token: SeSecurityPrivilege	5996	msdcsc.exe
Token: SeTakeOwnershipPrivilege	5996	msdcsc.exe
Token: SeLoadDriverPrivilege	5996	msdcsc.exe
Token: SeSystemProfilePrivilege	5996	msdcsc.exe
Token: SeSystemtimePrivilege	5996	msdcsc.exe
Token: SeProfSingleProcessPrivilege	5996	msdcsc.exe
Token: SeIncBasePriorityPrivilege	5996	msdcsc.exe
Token: SeCreatePagefilePrivilege	5996	msdcsc.exe
Token: SeBackupPrivilege	5996	msdcsc.exe
Token: SeRestorePrivilege	5996	msdcsc.exe
Token: SeShutdownPrivilege	5996	msdcsc.exe
Token: SeDebugPrivilege	5996	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	5996	msdcsc.exe
Token: SeChangeNotifyPrivilege	5996	msdcsc.exe
Token: SeRemoteShutdownPrivilege	5996	msdcsc.exe
Token: SeUndockPrivilege	5996	msdcsc.exe
Token: SeManageVolumePrivilege	5996	msdcsc.exe
Token: SeImpersonatePrivilege	5996	msdcsc.exe
Token: SeCreateGlobalPrivilege	5996	msdcsc.exe
Token: 33	5996	msdcsc.exe
Token: 34	5996	msdcsc.exe
Token: 35	5996	msdcsc.exe
Token: 36	5996	msdcsc.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeIncreaseQuotaPrivilege	4188	WMIC.exe
Token: SeSecurityPrivilege	4188	WMIC.exe
Token: SeTakeOwnershipPrivilege	4188	WMIC.exe
Token: SeLoadDriverPrivilege	4188	WMIC.exe
Token: SeSystemProfilePrivilege	4188	WMIC.exe
Token: SeSystemtimePrivilege	4188	WMIC.exe
Token: SeProfSingleProcessPrivilege	4188	WMIC.exe
Token: SeIncBasePriorityPrivilege	4188	WMIC.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4212	JOKE.EXE
5672	JOKE2.EXE
5996	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5340 wrote to memory of 5924	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	78
PID 5340 wrote to memory of 5924	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	78
PID 5340 wrote to memory of 5924	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	78
PID 5340 wrote to memory of 1608	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	157
PID 5340 wrote to memory of 1608	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	157
PID 5340 wrote to memory of 1608	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	157
PID 5340 wrote to memory of 5388	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	80
PID 5340 wrote to memory of 5388	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	80
PID 5340 wrote to memory of 5388	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	80
PID 5340 wrote to memory of 2792	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	81
PID 5340 wrote to memory of 2792	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	81
PID 5340 wrote to memory of 2792	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	81
PID 5340 wrote to memory of 4212	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	82
PID 5340 wrote to memory of 4212	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	82
PID 5340 wrote to memory of 4212	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	82
PID 5340 wrote to memory of 5672	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	83
PID 5340 wrote to memory of 5672	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	83
PID 5340 wrote to memory of 5672	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	83
PID 5340 wrote to memory of 4288	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	84
PID 5340 wrote to memory of 4288	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	84
PID 5340 wrote to memory of 4288	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	84
PID 5340 wrote to memory of 5296	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	85
PID 5340 wrote to memory of 5296	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	85
PID 5340 wrote to memory of 5296	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	85
PID 5340 wrote to memory of 5076	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	193
PID 5340 wrote to memory of 5076	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	193
PID 5340 wrote to memory of 5076	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	193
PID 5340 wrote to memory of 4416	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	87
PID 5340 wrote to memory of 4416	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	87
PID 5340 wrote to memory of 4416	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	87
PID 1608 wrote to memory of 4476	1608	FILE5.EXE	88
PID 1608 wrote to memory of 4476	1608	FILE5.EXE	88
PID 1608 wrote to memory of 4476	1608	FILE5.EXE	88
PID 5340 wrote to memory of 2216	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	89
PID 5340 wrote to memory of 2216	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	89
PID 5340 wrote to memory of 2216	5340	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	89
PID 1608 wrote to memory of 2392	1608	FILE5.EXE	90
PID 1608 wrote to memory of 2392	1608	FILE5.EXE	90
PID 1608 wrote to memory of 2392	1608	FILE5.EXE	90
PID 5924 wrote to memory of 1940	5924	WScript.exe	91
PID 5924 wrote to memory of 1940	5924	WScript.exe	91
PID 5924 wrote to memory of 1940	5924	WScript.exe	91
PID 1608 wrote to memory of 5436	1608	FILE5.EXE	92
PID 1608 wrote to memory of 5436	1608	FILE5.EXE	92
PID 1608 wrote to memory of 5436	1608	FILE5.EXE	92
PID 1608 wrote to memory of 2156	1608	FILE5.EXE	94
PID 1608 wrote to memory of 2156	1608	FILE5.EXE	94
PID 1608 wrote to memory of 2156	1608	FILE5.EXE	94
PID 4416 wrote to memory of 4676	4416	SENDE2R.EXE	97
PID 4416 wrote to memory of 4676	4416	SENDE2R.EXE	97
PID 4416 wrote to memory of 4676	4416	SENDE2R.EXE	97
PID 2792 wrote to memory of 4076	2792	WScript.exe	98
PID 2792 wrote to memory of 4076	2792	WScript.exe	98
PID 2792 wrote to memory of 4076	2792	WScript.exe	98
PID 5388 wrote to memory of 3020	5388	WScript.exe	240
PID 5388 wrote to memory of 3020	5388	WScript.exe	240
PID 5388 wrote to memory of 3020	5388	WScript.exe	240
PID 5388 wrote to memory of 6016	5388	WScript.exe	106
PID 5388 wrote to memory of 6016	5388	WScript.exe	106
PID 5388 wrote to memory of 6016	5388	WScript.exe	106
PID 5296 wrote to memory of 1712	5296	LEGIT_SOFTWARE2.EXE	108
PID 5296 wrote to memory of 1712	5296	LEGIT_SOFTWARE2.EXE	108
PID 4288 wrote to memory of 2536	4288	LEGIT_SOFTWARE1.EXE	109
PID 4288 wrote to memory of 2536	4288	LEGIT_SOFTWARE1.EXE	109

Views/modifies file attributes 1 TTPs 5 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2164	attrib.exe
244	attrib.exe
4644	attrib.exe
1780	attrib.exe
3440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
"C:\Users\Admin\AppData\Local\Temp\9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5340
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EXECUTION.JS"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1940
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    - System Location Discovery: System Language Discovery
    PID:484
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5668
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5740
- C:\Users\Admin\AppData\Local\Temp\FILE5.EXE
  "C:\Users\Admin\AppData\Local\Temp\FILE5.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE
    "C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4476
- - C:\Program Files (x86)\VLC1.EXE
    "C:\Program Files (x86)\VLC1.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Program Files (x86)\VLC1.EXE" +s +h
      4⤵
      PID:5700
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Program Files (x86)\VLC1.EXE" +s +h
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:3440
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Program Files (x86)" +s +h
      4⤵
      PID:1140
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Program Files (x86)" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2164
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      PID:2244
- - C:\Program Files (x86)\WINDOWS DEFENDER.EXE
    "C:\Program Files (x86)\WINDOWS DEFENDER.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5436
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:5152
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9EC0.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:248
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:6036
    - - C:\Users\Admin\AppData\Roaming\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\csrss.exe"
        5⤵
        Executes dropped EXE
        
        PID:2436
- - C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE
    "C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FINDM10E.VBS"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +s +h C:\Windows\Temp\svchost_533423.exe
    3⤵
    PID:3020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Windows\Temp\svchost_533423.exe
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Service WinDefend -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6016
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name taskmgr.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name cmd.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name regedit.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name procexp.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name processhacker.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /deletevalue {current} safeboot
    3⤵
    PID:5572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power /v HiberbootEnabled /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power /v HiberbootEnabled /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cipher /e /s:C:\Windows\Temp\
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5496
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e /s:C:\Windows\Temp\
      4⤵
      System Location Discovery: System Language Discovery
      PID:6032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +s +h C:\Users\Admin\AppData\Local\findme_579518.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4164
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Users\Admin\AppData\Local\findme_579518.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\findme_579518.exe
    3⤵
    PID:5408
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INSTALLE10R.VBS"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +s +h C:\Users\Public\Documents\winservice_533423.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4076
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Users\Public\Documents\winservice_533423.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4644
- C:\Users\Admin\AppData\Local\Temp\JOKE.EXE
  "C:\Users\Admin\AppData\Local\Temp\JOKE.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4212
- C:\Users\Admin\AppData\Local\Temp\JOKE2.EXE
  "C:\Users\Admin\AppData\Local\Temp\JOKE2.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5672
- C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE
  "C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8397.tmp\8398.tmp\8399.bat C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE"
    3⤵
    - Modifies registry class
    PID:2536
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msgbx.vbs"
      4⤵
      PID:3640
  - - C:\Windows\system32\net.exe
      net stop "WSearch"
      4⤵
      PID:4584
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WSearch"
        5⤵
        
        PID:2972
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "START PAGE" /d "https://watchfurry4k.com"
      4⤵
      Modifies Internet Explorer settings
      PID:5936
- C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE
  "C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5296
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\83A7.tmp\83A8.tmp\83A9.bat C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE"
    3⤵
    PID:1712
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4780
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1820
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3588
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3412
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5124
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5324
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5980
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4744
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LOL.VBS"
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sys32.hta \\BFFC-PC\C$\Users\Public\sys32.hta
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3404
- C:\Users\Admin\AppData\Local\Temp\SENDE2R.EXE
  "C:\Users\Admin\AppData\Local\Temp\SENDE2R.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\config\Rundll32.exe
    "C:\Windows\system32\config\Rundll32.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4676
  - - C:\Windows\SysWOW64\config\Rundll32.exe
      "C:\Windows\system32\config\Rundll32.exe"
      4⤵
      Executes dropped EXE
      PID:1872
    - - C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6068
      - C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:708
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:708
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2244
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:32
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        52⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        53⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        54⤵
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        55⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        56⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        57⤵
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        58⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        59⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5324
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        60⤵
        Drops file in System32 directory
        
        PID:1364
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        61⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        62⤵
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        63⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        64⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        65⤵
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        66⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        67⤵
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        68⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        69⤵
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        71⤵
        
        PID:440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        72⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        73⤵
        
        PID:776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        74⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        75⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        76⤵
        
        PID:332
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        77⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        78⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        79⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        80⤵
        
        PID:244
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        81⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        82⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        83⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        84⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        85⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        86⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        87⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        88⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        89⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        90⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        91⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        92⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        93⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        94⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        95⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        96⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        97⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        98⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        99⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        100⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        101⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        102⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        103⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        104⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        105⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        106⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        107⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        108⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        109⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        110⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        111⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        112⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        113⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        114⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        115⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        116⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        117⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        118⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        119⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        120⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        121⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        122⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        123⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        124⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        125⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        126⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        127⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        128⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        129⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        130⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        131⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        132⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        133⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        134⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        135⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        136⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        137⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        138⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        139⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        140⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        141⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        142⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        143⤵
        
        PID:652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        144⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        145⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        146⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        147⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        148⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        149⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        150⤵
        
        PID:904
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        151⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        152⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        153⤵
        
        PID:460
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        154⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        155⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        156⤵
        
        PID:720
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        157⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        158⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        159⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        160⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        161⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        162⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        163⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        164⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        165⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        166⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        167⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        168⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        169⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        170⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        171⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        172⤵
        
        PID:440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        173⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        174⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        175⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        176⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        177⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        178⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        179⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        180⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        181⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        182⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        183⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        184⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        185⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        186⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        187⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        188⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        189⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        190⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        191⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        192⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        193⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        194⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        195⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        196⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        197⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        198⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        199⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        200⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        201⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        202⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        203⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        204⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        205⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        206⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        207⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        208⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        209⤵
        
        PID:700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        210⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        211⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        212⤵
        
        PID:580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        213⤵
        
        PID:420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        214⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        215⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        216⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        217⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        218⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        219⤵
        
        PID:788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        220⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        221⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        222⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        223⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        224⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        225⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        226⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        227⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        228⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        229⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        230⤵
        
        PID:648
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        231⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        232⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        233⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        234⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        235⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        236⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        237⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        238⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        239⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        240⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        241⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        242⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        243⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        244⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        245⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        246⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        247⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        248⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        249⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        250⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        251⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        252⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        253⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        254⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        255⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        256⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        257⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        258⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        259⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        260⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        261⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        262⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        263⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        264⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        265⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        266⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        267⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        268⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        269⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        270⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        271⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        272⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        273⤵
        
        PID:488
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        274⤵
        
        PID:780
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        275⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        276⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        277⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        278⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        279⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        280⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        281⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        282⤵
        
        PID:792
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        283⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        284⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        285⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        286⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        287⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        288⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        289⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        290⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        291⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        292⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        293⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        294⤵
        
        PID:900
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        295⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        296⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        297⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        298⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        299⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        300⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        301⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        302⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        303⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        304⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        305⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        306⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        307⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        308⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        309⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        310⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        311⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        312⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        313⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        314⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        315⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        316⤵
        
        PID:724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        317⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        318⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        319⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        320⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        321⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        322⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        323⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        324⤵
        
        PID:408
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        325⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        326⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        327⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        328⤵
        
        PID:484
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        329⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        330⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        331⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        332⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        333⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        334⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        335⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        336⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        337⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        338⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        339⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        340⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        341⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        342⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        343⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        344⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        345⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        346⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        347⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        348⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        349⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        350⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        351⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        352⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        353⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        354⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        355⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        356⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        357⤵
        
        PID:720
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        358⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        359⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        360⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        361⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        362⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        363⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        364⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        365⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        366⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        367⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        368⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        369⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        370⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        371⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        372⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        373⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        374⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        375⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        376⤵
        
        PID:488
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        377⤵
        
        PID:332
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        378⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        379⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        380⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        381⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        382⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        383⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        384⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        385⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        386⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        387⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        388⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        389⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        390⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        391⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        392⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        393⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        394⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        395⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        396⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        397⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        398⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        399⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        400⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        401⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        402⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        403⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        404⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        405⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        406⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        407⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        408⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        409⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        410⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        411⤵
        
        PID:752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        412⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        413⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        414⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        415⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        416⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        417⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        418⤵
        
        PID:420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        419⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        420⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        421⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        422⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        423⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        424⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        425⤵
        
        PID:408
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        426⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        427⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        428⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        429⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        430⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        431⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        432⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        433⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        434⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        435⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        436⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        437⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        438⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        439⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        440⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        441⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        442⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        443⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        444⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        445⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        446⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        447⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        448⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        449⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        450⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        451⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        452⤵
        
        PID:724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        453⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        454⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        455⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        456⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        457⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        458⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        459⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        460⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        461⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        462⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        463⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        464⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        465⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        466⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        467⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        468⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        469⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        470⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        471⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        472⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        473⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        474⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        475⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        476⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        477⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        478⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        479⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        480⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        481⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        482⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        483⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        484⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        485⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        486⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        487⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        488⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        489⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        490⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        491⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        492⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        493⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        494⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        495⤵
        
        PID:468
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        496⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        497⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        498⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        499⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        500⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        501⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        502⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        503⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        504⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        505⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        506⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        507⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        508⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        509⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        510⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        511⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        512⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        513⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        514⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        515⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        516⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        517⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        518⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        519⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        520⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        521⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        522⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        523⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        524⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        525⤵
        
        PID:5324
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\WINLOGON.HTA" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wmic process call create 'winlogon && mshta C:\Users\Admin\AppData\Roaming\winlog.hta'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5860
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process call create 'winlogon
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4188
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Roaming\winlog.hta'
      4⤵
      PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5852
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Documents\winservice_533423.exe
1⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Temp\svchost_533423.exe
1⤵
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\TCP Manager\tcpmgr.exe
1⤵
PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1904
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4376
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3360
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:1220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:904
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4164
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5324
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:5312

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE

Filesize
86KB

MD5
0739a4b039910c9ecc48661e25279e6e

SHA1
02bf3b0265850bc13e85ac9bb421b88b6babbcaf

SHA256
9df65940d3f2230b276e9ee989f15a94855e07cf2aa04210353f7a9e9a62db4a

SHA512
e8a8876f4cfc2657e2b355b288fb8386e40131aeacc18aba1036ea5e60cf9a571f8da4ead987751db16fba5054d50b3dac9c399e5dff38fc64bf22c4fb3cb92f

Download Submit
C:\Program Files (x86)\VLC1.EXE

Filesize
251KB

MD5
3a0071fc42e1305afa1bc5d3d8233068

SHA1
711402cabd474d742d31509f17b26493683d61d3

SHA256
d41679ada9aabdfd4a55f25a5721d6a5dfbdee53afcf0d1cf319276e28941afa

SHA512
1a0b0bd341fe097f924517e8848d4012a93286402d79cdd67cf2cfc3225bd3785f81d329348ae1e0afc308ea98790dc89872f41cf3e9843a9481512832a403d8

Download Submit
C:\Program Files (x86)\WINDOWS DEFENDER.EXE

Filesize
47KB

MD5
96da127f30d555f809b5a781eeadb5d4

SHA1
6742daf92406b52d5b98fcf3c8b96aca2f691404

SHA256
f2e3e68a10f9f07b031e2fd3d7d73553ee4639a5e1c2a0775ac0a2ddbeff5e53

SHA512
2c7f2d0bfb65e532f1c1068a93f92c2cd17682de70d8ee84cab47d3b3e80f87d97d16e0d41dee027f3381e5abe9d19f8b2604da7769d36243695be1d79b3be52

Download Submit
C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE

Filesize
209KB

MD5
172214b69dfbf053c83ff8e6b70842bc

SHA1
02e321757925f21b18c96d2e23d6e9a755df59ab

SHA256
da01598ba05a9467fa7cf76d9d212df75886eeeea30a633654dcdf29d8be90d9

SHA512
6b02e7dffd64a8cc7b83e7dcbfbd8d4dfb99f7cc13d5056ffb00efb51f7cf0431bb270b8afa394dbeb4e7b3558261c0ea6bd3a542bd82afd9fbc9c5227f83a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
faa2dd409bb88491b6c57728dbf8a673

SHA1
6095f074030e7599cb1f9c251c62e2c0d1fb7418

SHA256
955d02ee998eae94048f3a1b33c8eedc73276ef0a179efb1cebc970d9af0df09

SHA512
0ab69299400998bc05fe7074b2c9b01162db9343deab22b502a26c47a054d2ca42918908fcc77a8cc5d275c17635508d546c3f65d857f37a7331ec9c32a766ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
e8a3b214c3077c04f5f31dcdf440de3f

SHA1
f38386af2ee2f9771613a47c9ad30a49604fb7fb

SHA256
76a97bc65a18ee1102328d1d748f7f4562ff9433e3aa8babf75bc6051002363a

SHA512
4c0342cf9b528ea32dbbc5abbb17e3160db6796cb7e339e829ae9f7dd92dcb4dadc69e5b60cbb53a2a894b498e3d6c6e76029dbec8659439e0b08174f0d9d4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
a2f7ba56e1f92c80d03a5a144a093cf1

SHA1
8fc15abd01c74fd91a0dd8e968646d2c4438de0b

SHA256
70c3854b20b114375fee327f550a1d39142e559da54452a5ec826a855c4a2006

SHA512
ba614f4b93532dd5045c29c9cfe552c75aa5c7def624e8dd393fac7725f292a2a318fdaa31e2b51a20ce7c4f6ffcd6797ab258ffaa62b1bb94324e02e2c1098b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
a1fa76e48437bc95b461c8bb3484bc50

SHA1
b0a94967f927ead43eb093327f8595c053a44d30

SHA256
73e7bd044470e4bafe1dc9e796f1b63b96264d9cc333cca36d568c53e2bb48bb

SHA512
3e5fccfc0a0de20f42a0643eea4c242b894f4740bf33a7f4f8c9288611ebbe3298013c22772ba100caf6ea6b071d91b73071e7d52951f253a1b115509845849c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8397.tmp\8398.tmp\8399.bat

Filesize
419B

MD5
58ff629a82464e0c19c1f13d0401d33c

SHA1
1e5af92e0f93b8066c5868651ae15f933d1d034b

SHA256
fe063155a0afbde316ee82cd32769afcb3cda55c599d9e12097f0cfd5916acf6

SHA512
e9a66f113b4ca7839a4b043dd22e558df9f0acd66b0647067734a776cd64b30511f2e2c2000ee20a3d0c92830790b0d96d068ee794e93c24d9aa16e64dbfa972

Download Submit
C:\Users\Admin\AppData\Local\Temp\83A7.tmp\83A8.tmp\83A9.bat

Filesize
288B

MD5
d6b8c97601f8219f4ce731a4a654f88d

SHA1
c327ca9e28729682cf1851b4e8299487575f7447

SHA256
0aa19971942d5fa91dae0e40ed000fc7dacdcb90c6f2254cc6f007c35514ef56

SHA512
2ef3b2c910aa47c16f0d72374733ee4b1991a9dc86558e43fb034a24c5723107c9cecc131b397d1c5abecfbaa60c56f63d30119c05f20e78fa189edabea26b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXECUTION.JS

Filesize
667B

MD5
d0ef78b5be1f57ed5d18e57dd6bd6d31

SHA1
060c48d3e88ff7c94a6ee97189670805aa041303

SHA256
fd819d9467aba2d315be6051ebe84b2d6e72571f1174ca7c49763303e065a1fa

SHA512
3637db6b558f5e680a4796f79da983c1849e248f4f62209566b9c59189f3cf41c420c8aa5f4d845c96acd00bccbc029489ec832b7479472b4d123b5ae61e009f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FILE5.EXE

Filesize
648KB

MD5
38836c26314605862f3ca3bfe0936b46

SHA1
b68d2a35b2d9f5083e3b2574ec409c6dbb615fd1

SHA256
3e151c518a16e949c618995aa6e38f509ff95f4fcc0f2a84a13a64f310e34e1b

SHA512
dc0aecfe210fd1169eea3118ca09de6dcb4e53ad6a7aee25580df1b82b224fa551a4c961756fbf0a415ab77aec2a26867cfd16fe0358bb1024da80b9e7bdc67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOKE.EXE

Filesize
55KB

MD5
07bd1ee5d09f280f6bc168f733d0490c

SHA1
0eacf38d54c2a2eb1782dd48b4ec7e61f007ce09

SHA256
fd426902b744a212d28fb869cc209f9d2251cc3f1a18f0508e087edf73bd2aed

SHA512
bf05683c95ca3d3fbd9c7624d045688440fe517f355fb23a60313c41336cb81d98ab77bbd1d11db248426de7eaa52c777efafa2250ebe041a79bade189b252a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOKE2.EXE

Filesize
55KB

MD5
490568d9de15cd9d30736ba8a3083caa

SHA1
54943326186190bd528278521a096b93c9f102cf

SHA256
04496907588a2332a7ba32a00ba9ec7df101e47843a35f226f0612016930748d

SHA512
db997225356b0a69e424829bf6d0868bce997363650d4e59f2fe628d8f19593f16c544ee7ec37c8711201647f842b85b94437f903c655597078d53e40301d702

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE

Filesize
87KB

MD5
3748f4762016f1d005ad74a32e067359

SHA1
d3b0501286a19052bd8559a511dd595064dd0e45

SHA256
8df01525e7581d59e9b74d0b3f4254710bd5188291a1a2ae95273f7cf0fc94ca

SHA512
c9507c510b62f8413afef433dd0c67844caaa473d9fa3e7c467ad6950f314f75f3a1932f981e8408c28befd843847b3f1065ffd94b001233912ece71ae7760d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE

Filesize
87KB

MD5
236afa11abeaa2413b07c5a412c5e64f

SHA1
eea7da7ac3b9c28c5956d5ae36e64160d348db3a

SHA256
83dfdbd502c1ac4c98d373a8e3b1ada82d5e006c82312c86dd8f348ca7b88e4a

SHA512
9dd698ed829317e8483c37967c9b17b23389efe6c68d7dfb28e8d5fa19d1d533d9cd6b396ae2c216b3bb07dc8c928da9dbfab6a937d0a59318357c4fe9e1e49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOL.VBS

Filesize
1KB

MD5
8bb7d55904f0592b12912cd17a6226a2

SHA1
4ef10c2a156f45d3daeeeeeea52c642ac0e7615e

SHA256
b363fbb1413da760fda389fbc481025b725dd281712542c32014bc6273eddac8

SHA512
8f9f6fef4719f07439d34074684bb235cdf0056e62ebbd182dfad75e67029da1903004affc4ef4a6a53307af2c5ab709b026bb43eb0704d0f18a9904c4bfc11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SENDE2R.EXE

Filesize
24KB

MD5
c3ffaa41bf9c27053522ef7d68388b52

SHA1
d676498dcf952449526e190269f0b42698b523cc

SHA256
c21480e3e7606a3670a2a18a3db1acd429130c08b41e97f319102d00a7b023b9

SHA512
dc076eeb45e8ed4729cf25c7fb7769597a77d6dae5fe1e3c4b92857a1a437483cd374c86c40235b90a9598c6899c613ae23f37b7beb8d8c8d5900f7507e9ea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGON.HTA

Filesize
738B

MD5
1c35226c8c701349da6b67b0ffbd14e6

SHA1
0fec4a653a965f49c7f2b8fb3c9e63fe0deabda2

SHA256
dde632014ecc3adbc0be72e8fe86f789910797bada0b8c326dd4662d39408761

SHA512
4e7c483d23fd0f48a8de2cf80354923568ed764b48ebe9700cb81af7ca27759d99ab84d7ec18d61ae5c7183be3be0107deb7737373a2370ea59477b79db768d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jh3nasyf.kwv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgbx.vbs

Filesize
44B

MD5
020632109d137052c3e1eee7a16b419f

SHA1
3fced3ebe99d8ae61f1564a2cee6b85e9dc810d7

SHA256
df7ca44289b61cd88899441d17d54536818c3409ca3d233444e407c259f43697

SHA512
cb9b43734eb49c4df551c6dafaccdbb7187d223ad54361ff1013383751f67d62d933940fc5af49b474e21422d05efa2ddd42baca2e18cbc97a26b10a42dafffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9EC0.tmp.bat

Filesize
149B

MD5
28a1f7ae4245ec8d29fb32cab8a9099f

SHA1
c4a49f1b202eb38ba4c8a498f045393ee63fdfad

SHA256
c27558eeee9115dd24a5a9ca58fe7deb82f6a7ddf1ff5475894f957f7ecc0492

SHA512
722b671b711818c320a86ba853e7384c0357058d70b9d147cc065d25c286d192ff441914de76508100d7c1df551ee493b8538508f63f49123f6df9d3c78819b5

Download Submit
C:\Users\Public\Documents\winservice_533423.exe

Filesize
1KB

MD5
7cc3b626518cf48dbfc1afcc85d95f21

SHA1
e190e0dc8dd587fe2695b199e750be5811d64a6c

SHA256
5d3db0d7702bc6b8ca3f8a644dd354203544e03e50e2745dd4540e95654c6296

SHA512
c161ad60d28196bdb6198581f2173696b3c927422d179c5f30f593c470f94d18377476e8aa5a2ea7a66008e0d14fd49c34a8fb65974b306506c2f57f98aaa02f

Download Submit
C:\Windows\Temp\svchost_533423.exe

Filesize
2KB

MD5
8ef7859cb44262053840e18037c862bd

SHA1
3215cf7cd1cf3af4fed0f3bdcc569c70fc2b2f73

SHA256
d4e84178fa198e903c717fac251159a053bedb307685e29c047621a22813bd9f

SHA512
6af654daad764a046052d8ca270b4e471cc6c5b2b33b589b8ad25660309f12fa6598dcad686e1ca88f12042976b37b6c30ed40b3084cad5dcf4b124170adab2f

Download Submit
memory/32-447-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/580-456-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/708-313-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/708-397-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/708-301-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1052-285-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1052-282-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1096-495-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1216-411-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1324-493-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1364-485-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1384-443-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1536-458-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1608-290-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1608-276-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1872-205-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1872-217-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1932-422-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1944-473-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1984-449-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2000-451-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2012-432-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2244-266-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2244-280-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2244-409-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2248-464-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2276-426-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2376-472-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2392-110-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2392-295-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2748-454-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2996-291-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2996-299-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3020-489-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3108-369-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3168-470-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3308-441-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3340-478-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3360-462-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3360-392-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3404-404-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3456-424-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3536-430-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3636-333-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3636-324-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3640-480-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3924-415-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3984-413-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4112-475-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4164-466-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4188-381-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4268-497-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4396-394-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4416-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4416-84-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4436-445-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4444-315-0x0000000005F20000-0x0000000005F3A000-memory.dmp

Filesize
104KB

Download
memory/4444-314-0x0000000006BD0000-0x0000000006C66000-memory.dmp

Filesize
600KB

Download
memory/4444-293-0x0000000005D00000-0x0000000005D4C000-memory.dmp

Filesize
304KB

Download
memory/4444-292-0x0000000005A20000-0x0000000005A3E000-memory.dmp

Filesize
120KB

Download
memory/4444-316-0x0000000005F70000-0x0000000005F92000-memory.dmp

Filesize
136KB

Download
memory/4476-134-0x0000000004C40000-0x0000000004CDC000-memory.dmp

Filesize
624KB

Download
memory/4476-146-0x0000000005290000-0x0000000005836000-memory.dmp

Filesize
5.6MB

Download
memory/4476-132-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/4476-148-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/4476-151-0x0000000004E20000-0x0000000004E76000-memory.dmp

Filesize
344KB

Download
memory/4476-150-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/4568-348-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4584-418-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4584-416-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4676-139-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4676-204-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4804-436-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4824-400-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4908-438-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4944-476-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4960-428-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5076-407-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5076-402-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5088-491-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5104-452-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5192-460-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5324-483-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5392-434-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5400-482-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5436-131-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/5448-311-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5448-320-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5804-468-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5904-487-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5944-420-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5996-331-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/5996-212-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/6016-220-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/6016-218-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

Filesize
136KB

Download
memory/6016-222-0x0000000005780000-0x0000000005AD7000-memory.dmp

Filesize
3.3MB

Download
memory/6016-219-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/6016-207-0x0000000005000000-0x000000000562A000-memory.dmp

Filesize
6.2MB

Download
memory/6016-206-0x0000000002460000-0x0000000002496000-memory.dmp

Filesize
216KB

Download
memory/6044-386-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6068-278-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6068-215-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6104-389-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download