d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 12:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe
Size

444KB
MD5

9098a42628b1d71ca4a2c235665d1a89
SHA1

839d7b19968d9e1cc70071c3856f3909ceae6ddf
SHA256

d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6
SHA512

ca488cd690da8b571607f2cea0b9e3cc4102e2c908be8b6432ef34463fdb63f15fe168a54ef5f8846e4747a651771585b6716570080dd99671243a35340a8972
SSDEEP

6144:8UfHRLVrp4y8ppwPd8LzufyNvBu97m02Xl2+vkoLcYjO9F9x0Ww4qfGV67IywjoT:bfHRLQpa8WqJm7x212XooYCV0WbVywj

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4972	attrib.exe
2756	attrib.exe
3504	attrib.exe
2800	attrib.exe
9968	attrib.exe
764	attrib.exe
2412	attrib.exe
4428	attrib.exe
3392	attrib.exe
4704	attrib.exe
8352	attrib.exe
8688	attrib.exe
5724	attrib.exe
4704	attrib.exe
3636	attrib.exe
3524	attrib.exe
9324	attrib.exe
10100	attrib.exe
3056	attrib.exe
4980	attrib.exe
1328	attrib.exe
9668	attrib.exe
5796	Process not Found
1632	attrib.exe
4328	attrib.exe
716	attrib.exe
10220	attrib.exe
5768	attrib.exe
6872	attrib.exe
8152	attrib.exe
7048	attrib.exe
9936	attrib.exe
2804	attrib.exe
620	attrib.exe
4720	attrib.exe
3004	attrib.exe
1556	attrib.exe
4724	attrib.exe
3488	attrib.exe
3332	attrib.exe
2952	attrib.exe
3780	attrib.exe
5736	attrib.exe
4948	Process not Found
3096	attrib.exe
1208	attrib.exe
1544	attrib.exe
7036	attrib.exe
1704	Process not Found
1648	attrib.exe
4664	attrib.exe
2392	attrib.exe
1136	attrib.exe
3936	attrib.exe
1912	attrib.exe
3988	attrib.exe
4620	attrib.exe
1308	attrib.exe
2212	attrib.exe
3968	attrib.exe
548	attrib.exe
4728	attrib.exe
1876	attrib.exe
2276	attrib.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	Process not Found
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	attrib.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	Process not Found
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe
File opened (read-only)	\??\e:	cmd.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\system\autorun.inf	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\autorun.inf	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 5052	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	82
PID 3008 wrote to memory of 5052	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	82
PID 3008 wrote to memory of 5052	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	82
PID 3008 wrote to memory of 4768	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	83
PID 3008 wrote to memory of 4768	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	83
PID 3008 wrote to memory of 4768	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	83
PID 3008 wrote to memory of 1824	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	84
PID 3008 wrote to memory of 1824	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	84
PID 3008 wrote to memory of 1824	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	84
PID 3008 wrote to memory of 5012	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	86
PID 3008 wrote to memory of 5012	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	86
PID 3008 wrote to memory of 5012	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	86
PID 3008 wrote to memory of 4628	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	88
PID 3008 wrote to memory of 4628	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	88
PID 3008 wrote to memory of 4628	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	88
PID 3008 wrote to memory of 4132	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	90
PID 3008 wrote to memory of 4132	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	90
PID 3008 wrote to memory of 4132	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	90
PID 3008 wrote to memory of 1704	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	91
PID 3008 wrote to memory of 1704	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	91
PID 3008 wrote to memory of 1704	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	91
PID 3008 wrote to memory of 4228	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	94
PID 3008 wrote to memory of 4228	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	94
PID 3008 wrote to memory of 4228	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	94
PID 3008 wrote to memory of 2032	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	96
PID 3008 wrote to memory of 2032	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	96
PID 3008 wrote to memory of 2032	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	96
PID 4228 wrote to memory of 3096	4228	cmd.exe	100
PID 4228 wrote to memory of 3096	4228	cmd.exe	100
PID 4228 wrote to memory of 3096	4228	cmd.exe	100
PID 2032 wrote to memory of 4704	2032	cmd.exe	102
PID 2032 wrote to memory of 4704	2032	cmd.exe	102
PID 2032 wrote to memory of 4704	2032	cmd.exe	102
PID 4132 wrote to memory of 2664	4132	cmd.exe	101
PID 4132 wrote to memory of 2664	4132	cmd.exe	101
PID 4132 wrote to memory of 2664	4132	cmd.exe	101
PID 1704 wrote to memory of 4736	1704	cmd.exe	103
PID 1704 wrote to memory of 4736	1704	cmd.exe	103
PID 1704 wrote to memory of 4736	1704	cmd.exe	103
PID 3008 wrote to memory of 3792	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	104
PID 3008 wrote to memory of 3792	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	104
PID 3008 wrote to memory of 3792	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	104
PID 3008 wrote to memory of 4360	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	106
PID 3008 wrote to memory of 4360	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	106
PID 3008 wrote to memory of 4360	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	106
PID 3008 wrote to memory of 4632	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	108
PID 3008 wrote to memory of 4632	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	108
PID 3008 wrote to memory of 4632	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	108
PID 3008 wrote to memory of 5104	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	109
PID 3008 wrote to memory of 5104	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	109
PID 3008 wrote to memory of 5104	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	109
PID 3008 wrote to memory of 1384	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	110
PID 3008 wrote to memory of 1384	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	110
PID 3008 wrote to memory of 1384	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	110
PID 3008 wrote to memory of 2964	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	114
PID 3008 wrote to memory of 2964	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	114
PID 3008 wrote to memory of 2964	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	114
PID 3008 wrote to memory of 4936	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	115
PID 3008 wrote to memory of 4936	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	115
PID 3008 wrote to memory of 4936	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	115
PID 3008 wrote to memory of 3936	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	117
PID 3008 wrote to memory of 3936	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	117
PID 3008 wrote to memory of 3936	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	117
PID 3008 wrote to memory of 2364	3008	d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe	118

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1436	attrib.exe
3876	attrib.exe
9744	attrib.exe
4948	Process not Found
3704	attrib.exe
4832	attrib.exe
3332	attrib.exe
4156	attrib.exe
9236	Process not Found
1288	attrib.exe
4988	attrib.exe
3220	attrib.exe
9892	attrib.exe
7008	Process not Found
4728	attrib.exe
4980	attrib.exe
1244	attrib.exe
2016	attrib.exe
3780	attrib.exe
1648	attrib.exe
2452	attrib.exe
4140	attrib.exe
1328	attrib.exe
4580	attrib.exe
2968	attrib.exe
4784	attrib.exe
1692	attrib.exe
1136	attrib.exe
4728	attrib.exe
1660	attrib.exe
4496	attrib.exe
8928	attrib.exe
3808	attrib.exe
1992	attrib.exe
4340	attrib.exe
1732	attrib.exe
1328	attrib.exe
6492	attrib.exe
2392	attrib.exe
8380	attrib.exe
2460	attrib.exe
3368	attrib.exe
4916	attrib.exe
8200	attrib.exe
8356	attrib.exe
9476	attrib.exe
1908	attrib.exe
4056	attrib.exe
9680	attrib.exe
4852	attrib.exe
3196	attrib.exe
4592	attrib.exe
5112	attrib.exe
2980	attrib.exe
1556	attrib.exe
4564	attrib.exe
960	attrib.exe
1316	attrib.exe
8408	attrib.exe
7036	attrib.exe
2288	attrib.exe
1752	attrib.exe
2112	attrib.exe
6164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe
"C:\Users\Admin\AppData\Local\Temp\d902bc3bb02a9422cc81aafe60924b2ecc2c4fb4915799eaa18b792a694fb9f6.exe"
1⤵
- Drops autorun.inf file
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:5052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:5104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4936
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3936
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4832
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:448
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:5016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1456
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4736
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3188
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:5064
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:5104
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4900
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:3948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:764
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:796
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3444
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:4140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:3124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4980
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:3368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:4972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4420
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4736
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3188
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4256
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4108
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3952
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:4460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:824
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:3372
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:5052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:676
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:4724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1160
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4540
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:908
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:4752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:976
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1248
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:5084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4640
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:3372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4972
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3464
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:3816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:3368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3484
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1688
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4508
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:3296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1376
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:176
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:3792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3208
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:32
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4736
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:3816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3528
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3400
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:216
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4476
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:4112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4164
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:32
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:764
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:3452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4148
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2304
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:4364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4144
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:5112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3328
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:3412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:436
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1368
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3936
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:1292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:3332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:764
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:388
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3856
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4904
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:5052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:676
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:3816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2144
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:3964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:4580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:1308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:3208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:640
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:5088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4344
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:8
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:4892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:4708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4160
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:4632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:3704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:2752
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:1880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4812
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3408
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:4984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:3388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4852
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:376
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:4620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:1508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3392
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:984
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3180
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:792
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:4724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:3816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:3468
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1776
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3096
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4896
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:32
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:3636
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:3876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:976
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:3296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4608
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:4976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1248
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:4288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:5056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4512
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:10220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:9656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:4016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:7048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4312
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:5768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:8352
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1908
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:7648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:216
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2844
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:8520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:792
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:7576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:9756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:9664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:5112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:9936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:5260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:8408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:412
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:9708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:9892
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:3180
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:9716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:8040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:9680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:6048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:6708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:904
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:8368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4360
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:7580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:3776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:6444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:3036
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Enumerates connected drives
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:10196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:9968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1876
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:8268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:8424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:936
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:5156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:3208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:8960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Sets file to hidden
    PID:10100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:9668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:6872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:7604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:6968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:9720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:9660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:3468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:4848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:9680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:396
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:9900
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:3524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:9704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:10020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:1824
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:6264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:4168
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:3672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:3716
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:8344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:4668
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:8692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:5292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4552
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:8356
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:10208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4160
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:8200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:6780
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:5736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:6772
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:9744
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:7780
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:9948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:7772
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Sets file to hidden
    PID:5724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:7764
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:8348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:7756
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:8324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:7748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:7740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:7732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:7724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:7708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:6764
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:6756
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:8380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:6748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:6740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:6732
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:6716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:6708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:8148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:8140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:8180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:8188
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:7968
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:7900
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:6100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:7872
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:8508
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:8628
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:8500
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:9740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:8492
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:6372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:8484
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:8476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:8468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:8460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:8452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:8444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:7480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:7260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:4620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:8296
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:8688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:8340
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:7484
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:6164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:8632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:9848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:9840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:9832
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:9820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:9812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:9804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:9796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:9788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:9780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  - Enumerates connected drives
  PID:6512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:9292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:9620
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:8404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:9528
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:5292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:9504
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:8928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:9640
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Views/modifies file attributes
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:9136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:8092
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    PID:9308
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    - Sets file to hidden
    PID:9324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:5720
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:9600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:8412
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:9172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  - Enumerates connected drives
  PID:5584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:8556
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:6716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:9312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:9200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:9508
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\continue.exe
    3⤵
    PID:5112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\continue.exe
    3⤵
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:7844
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A e:\autorun.inf
    3⤵
    - Views/modifies file attributes
    PID:9476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:6152
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R +h +S +A d:\autorun.inf
    3⤵
    PID:7224
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:3480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:3776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:7712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\Cursors\exp1orer.exe %systemdrive%\Docume~1\AllUse~1\StartM~1\Programs\Startup\
  2⤵
  PID:4392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf e:\
  2⤵
  PID:4336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\system\autorun.inf d:\
  2⤵
  PID:5880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\autorun.inf
  2⤵
  PID:8108
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe e:\
  2⤵
  PID:6340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy %systemroot%\mui\continue.exe d:\
  2⤵
  PID:6800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\autorun.inf
  2⤵
  PID:9672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A d:\continue.exe
  2⤵
  PID:9616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib +R +h +S +A e:\continue.exe
  2⤵
  PID:2452

C:\Windows\SysWOW64\attrib.exe
attrib +R +h +S +A e:\continue.exe
1⤵
- Sets file to hidden
PID:8152

C:\Windows\SysWOW64\attrib.exe
attrib +R +h +S +A d:\autorun.inf
1⤵
PID:3152

C:\Windows\SysWOW64\attrib.exe
attrib +R +h +S +A d:\continue.exe
1⤵
- Sets file to hidden
- Views/modifies file attributes
PID:7036

C:\Windows\SysWOW64\attrib.exe
attrib +R +h +S +A e:\autorun.inf
1⤵
- Views/modifies file attributes
PID:6492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\autorun.inf

Filesize
141B

MD5
c36a1125d03d82ef3a755c54c68bcb77

SHA1
62d498b8af63bd2360f8d8485a91c8810558f168

SHA256
3e8b2f31dafe3984bd1e86566535c3648cbf7dc24d4d47ead08399b0f01d4782

SHA512
f44f27e7f74ed32acf04fe4c576d2fbde930f642d6ddc1291712a98fff29d3ee1fce769faa70115dc8f579e29b292787c0116e6aef28152a1bcb46b21022993c

Download Submit
memory/3008-132-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3008-200-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads