224acb5f139a1ebf8add7f965c96b47c82e26f10a556e45361d0bc71308417ed

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/10/2023, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
Size

356KB
MD5

3cde62c0d1ef60c043ccf1fc3dba7a22
SHA1

c05cc6eca17c0dac2df50368b6e62f0fd3a80c8a
SHA256

224acb5f139a1ebf8add7f965c96b47c82e26f10a556e45361d0bc71308417ed
SHA512

61f5f55ebb671ea2e07158f516ced63c119008e52bf7498e6d0c132cfbca2f648220c4521d0fed0b422b75ef937aa9577bd4d5fa16b0eb79804d569ca2b82cd7
SSDEEP

6144:VuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qL0qEks3ih1XGWy:Y6Wq4aaE6KwyF5L0Y2D1PqL0qC3c2t

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3060	commander.exe
2688	commander.exe
2904	svhost.exe
2840	commander.exe
2580	commander.exe
2488	commander.exe
2984	commander.exe
2280	system.exe
2784	commander.exe
2832	system.exe
2096	commander.exe
1624	system.exe
1980	commander.exe
596	system.exe
2712	commander.exe
2004	system.exe
2780	commander.exe
1096	system.exe
2844	commander.exe
2800	system.exe
1640	commander.exe
1636	system.exe
2036	commander.exe
2052	system.exe
2436	commander.exe
2112	system.exe
2056	commander.exe
784	system.exe
2364	commander.exe
3040	system.exe
1756	commander.exe
2724	system.exe
1456	commander.exe
1584	system.exe
1868	commander.exe
1600	system.exe
2940	commander.exe
320	system.exe
1716	commander.exe
960	system.exe
2924	commander.exe
1696	system.exe
1664	commander.exe
2084	system.exe
808	commander.exe
1128	system.exe
2232	commander.exe
2616	system.exe
2624	commander.exe
1144	system.exe
1440	commander.exe
2656	system.exe
2840	commander.exe
2464	system.exe
2540	commander.exe
2976	system.exe
2448	commander.exe
2348	system.exe
2860	commander.exe
2880	system.exe
2344	commander.exe
2456	system.exe
2556	commander.exe
1140	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2984	commander.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-0-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2408-12-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0015000000011fff-13.dat	upx
behavioral1/files/0x0015000000011fff-14.dat	upx
behavioral1/files/0x0007000000016d6c-26.dat	upx
behavioral1/files/0x0007000000016d6c-27.dat	upx
behavioral1/files/0x0007000000016d6c-28.dat	upx
behavioral1/files/0x0007000000016d7d-30.dat	upx
behavioral1/memory/2280-32-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-35.dat	upx
behavioral1/files/0x0007000000016d77-36.dat	upx
behavioral1/memory/2832-38-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-41.dat	upx
behavioral1/memory/1624-43-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-46.dat	upx
behavioral1/files/0x0009000000016e77-47.dat	upx
behavioral1/memory/596-49-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-52.dat	upx
behavioral1/memory/2004-54-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-57.dat	upx
behavioral1/files/0x0009000000016e77-58.dat	upx
behavioral1/memory/1096-60-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-63.dat	upx
behavioral1/memory/2800-66-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-69.dat	upx
behavioral1/memory/1636-71-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-74.dat	upx
behavioral1/memory/2904-75-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0009000000016e77-76.dat	upx
behavioral1/memory/2052-78-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-81.dat	upx
behavioral1/memory/2112-83-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-86.dat	upx
behavioral1/memory/784-89-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0009000000016e77-87.dat	upx
behavioral1/files/0x0007000000016d6c-92.dat	upx
behavioral1/memory/3040-94-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-97.dat	upx
behavioral1/memory/2724-100-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/files/0x0007000000016d6c-103.dat	upx
behavioral1/memory/1584-105-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1600-107-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/320-109-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/960-111-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1696-112-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1696-114-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2084-116-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1128-118-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2616-122-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1144-124-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2656-126-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2464-128-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2976-130-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2348-132-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2880-134-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2456-136-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1140-138-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/776-140-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/2212-142-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/556-144-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1940-146-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1612-148-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1644-149-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1644-151-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe

AutoIT Executable 64 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2408-12-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2280-32-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2832-38-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1624-43-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/596-49-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2004-54-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1096-60-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2800-66-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1636-71-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2904-75-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2052-78-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2112-83-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/784-89-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/3040-94-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2724-100-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1584-105-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1600-107-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/320-109-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/960-111-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1696-114-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2084-116-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1128-118-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2616-122-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1144-124-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2656-126-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2464-128-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2976-130-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2348-132-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2880-134-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2456-136-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1140-138-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/776-140-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2212-142-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/556-144-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1940-146-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1612-148-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1644-151-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2180-154-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2904-155-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1344-157-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2292-159-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/272-161-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/396-163-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/436-165-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2156-167-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1584-169-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2904-190-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1728-282-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2004-322-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2036-425-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2448-552-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2736-648-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/928-775-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/852-875-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1072-953-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1672-1026-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2036-1030-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2168-1032-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2384-1042-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/1508-1044-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2576-1046-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2572-1048-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2184-1050-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe
behavioral1/memory/2752-1052-0x0000000000400000-0x00000000004BA000-memory.dmp	autoit_exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C938A0A3-61F7-11EE-8B76-76BD0C21823E}.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	rundll32.exe
File created	C:\Windows\SysWOW64\svhost.exe	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C938A0A1-61F7-11EE-8B76-76BD0C21823E}.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserror[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C938A0A1-61F7-11EE-8B76-76BD0C21823E}.dat	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserror[1]	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NewErrorPageTemplate[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	rundll32.exe
File created	C:\Windows\SysWOW64\commander.exe	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
File created	C:\Windows\SysWOW64\system.exe	svhost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	rundll32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NewErrorPageTemplate[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
File opened for modification	C:\Windows\svhost.exe	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags = "1024"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 008c1b9104f6d901	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E1B6B9B7-E08F-4B69-99F9-C8425BF9FD19}\WpadNetworkName = "Network 2"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = c0061a9404f6d901	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e7070a00020003000e0013000400cb0102000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = a009e09004f6d901	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C938A0A1-61F7-11EE-8B76-76BD0C21823E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e7070a00020003000e0013000000670300000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{864455DD-35C5-4B21-B6DD-5F205640CDBD}"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E1B6B9B7-E08F-4B69-99F9-C8425BF9FD19}\WpadDecisionTime = c05fc78d04f6d901	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "rrpp9ks"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
2904	svhost.exe
2904	svhost.exe
2904	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	svhost.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
860	iexplore.exe
860	iexplore.exe
860	iexplore.exe
860	iexplore.exe
860	iexplore.exe
860	iexplore.exe
860	iexplore.exe
860	iexplore.exe
860	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
860	iexplore.exe
860	iexplore.exe
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 3060	2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	28
PID 2408 wrote to memory of 3060	2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	28
PID 2408 wrote to memory of 3060	2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	28
PID 2408 wrote to memory of 3060	2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	28
PID 3060 wrote to memory of 2608	3060	commander.exe	30
PID 3060 wrote to memory of 2608	3060	commander.exe	30
PID 3060 wrote to memory of 2608	3060	commander.exe	30
PID 3060 wrote to memory of 2608	3060	commander.exe	30
PID 2408 wrote to memory of 2688	2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	31
PID 2408 wrote to memory of 2688	2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	31
PID 2408 wrote to memory of 2688	2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	31
PID 2408 wrote to memory of 2688	2408	3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe	31
PID 2688 wrote to memory of 2672	2688	commander.exe	33
PID 2688 wrote to memory of 2672	2688	commander.exe	33
PID 2688 wrote to memory of 2672	2688	commander.exe	33
PID 2688 wrote to memory of 2672	2688	commander.exe	33
PID 2908 wrote to memory of 2904	2908	taskeng.exe	35
PID 2908 wrote to memory of 2904	2908	taskeng.exe	35
PID 2908 wrote to memory of 2904	2908	taskeng.exe	35
PID 2908 wrote to memory of 2904	2908	taskeng.exe	35
PID 2904 wrote to memory of 2840	2904	svhost.exe	36
PID 2904 wrote to memory of 2840	2904	svhost.exe	36
PID 2904 wrote to memory of 2840	2904	svhost.exe	36
PID 2904 wrote to memory of 2840	2904	svhost.exe	36
PID 2904 wrote to memory of 2580	2904	svhost.exe	38
PID 2904 wrote to memory of 2580	2904	svhost.exe	38
PID 2904 wrote to memory of 2580	2904	svhost.exe	38
PID 2904 wrote to memory of 2580	2904	svhost.exe	38
PID 2904 wrote to memory of 2488	2904	svhost.exe	40
PID 2904 wrote to memory of 2488	2904	svhost.exe	40
PID 2904 wrote to memory of 2488	2904	svhost.exe	40
PID 2904 wrote to memory of 2488	2904	svhost.exe	40
PID 2904 wrote to memory of 2984	2904	svhost.exe	42
PID 2904 wrote to memory of 2984	2904	svhost.exe	42
PID 2904 wrote to memory of 2984	2904	svhost.exe	42
PID 2904 wrote to memory of 2984	2904	svhost.exe	42
PID 2984 wrote to memory of 2280	2984	commander.exe	44
PID 2984 wrote to memory of 2280	2984	commander.exe	44
PID 2984 wrote to memory of 2280	2984	commander.exe	44
PID 2984 wrote to memory of 2280	2984	commander.exe	44
PID 2904 wrote to memory of 2784	2904	svhost.exe	45
PID 2904 wrote to memory of 2784	2904	svhost.exe	45
PID 2904 wrote to memory of 2784	2904	svhost.exe	45
PID 2904 wrote to memory of 2784	2904	svhost.exe	45
PID 2784 wrote to memory of 2832	2784	commander.exe	47
PID 2784 wrote to memory of 2832	2784	commander.exe	47
PID 2784 wrote to memory of 2832	2784	commander.exe	47
PID 2784 wrote to memory of 2832	2784	commander.exe	47
PID 2904 wrote to memory of 2096	2904	svhost.exe	48
PID 2904 wrote to memory of 2096	2904	svhost.exe	48
PID 2904 wrote to memory of 2096	2904	svhost.exe	48
PID 2904 wrote to memory of 2096	2904	svhost.exe	48
PID 2096 wrote to memory of 1624	2096	commander.exe	50
PID 2096 wrote to memory of 1624	2096	commander.exe	50
PID 2096 wrote to memory of 1624	2096	commander.exe	50
PID 2096 wrote to memory of 1624	2096	commander.exe	50
PID 2904 wrote to memory of 1980	2904	svhost.exe	51
PID 2904 wrote to memory of 1980	2904	svhost.exe	51
PID 2904 wrote to memory of 1980	2904	svhost.exe	51
PID 2904 wrote to memory of 1980	2904	svhost.exe	51
PID 1980 wrote to memory of 596	1980	commander.exe	53
PID 1980 wrote to memory of 596	1980	commander.exe	53
PID 1980 wrote to memory of 596	1980	commander.exe	53
PID 1980 wrote to memory of 596	1980	commander.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3cde62c0d1ef60c043ccf1fc3dba7a22_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C at 9:00 /interactive C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\at.exe
    at 9:00 /interactive C:\Windows\svhost.exe
    3⤵
    PID:2608
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C schtasks /run /tn at1
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /tn at1
    3⤵
    PID:2672

C:\Windows\system32\taskeng.exe
taskeng.exe {2A9BF1A5-7D8F-48DD-B0DE-5B0FA789CD97} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2488
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\$Recycle.Bin.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\$Recycle.Bin.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2280
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2832
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Documents and Settings.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Documents and Settings.exe
      4⤵
      Executes dropped EXE
      PID:1624
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:596
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\MSOCache.exe
    3⤵
    - Executes dropped EXE
    PID:2712
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\MSOCache.exe
      4⤵
      Executes dropped EXE
      PID:2004
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2780
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1096
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2844
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2800
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\PerfLogs.exe
    3⤵
    - Executes dropped EXE
    PID:1640
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\PerfLogs.exe
      4⤵
      Executes dropped EXE
      PID:1636
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2036
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2052
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Program Files.exe
    3⤵
    - Executes dropped EXE
    PID:2436
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Program Files.exe
      4⤵
      Executes dropped EXE
      PID:2112
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2056
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:784
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Program Files (x86).exe
    3⤵
    - Executes dropped EXE
    PID:2364
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Program Files (x86).exe
      4⤵
      Executes dropped EXE
      PID:3040
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1756
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2724
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\ProgramData.exe
    3⤵
    - Executes dropped EXE
    PID:1456
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\ProgramData.exe
      4⤵
      Executes dropped EXE
      PID:1584
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1868
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1600
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Recovery.exe
    3⤵
    - Executes dropped EXE
    PID:2940
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Recovery.exe
      4⤵
      Executes dropped EXE
      PID:320
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1716
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:960
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2924
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1696
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\System Volume Information.exe
    3⤵
    - Executes dropped EXE
    PID:1664
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\System Volume Information.exe
      4⤵
      Executes dropped EXE
      PID:2084
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:808
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1128
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Users.exe
    3⤵
    - Executes dropped EXE
    PID:2232
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Users.exe
      4⤵
      Executes dropped EXE
      PID:2616
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2624
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1144
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1440
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2656
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2840
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2464
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2540
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2976
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2448
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2348
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2860
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2880
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2344
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2456
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2556
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1140
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:292
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:776
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2212
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1380
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:556
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2780
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2564
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1344
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2292
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Windows.exe
    3⤵
    PID:1484
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Windows.exe
      4⤵
      PID:272
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:396
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:616
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:436
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyf:\$RECYCLE.BIN.exe
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyf:\$RECYCLE.BIN.exe
      4⤵
      PID:2156
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2316
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1584
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2880
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1728
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2004
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2844
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2448
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:776
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2736
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3028
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:928
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:852
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1728
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1072
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1672
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1132
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2168
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2384
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2552
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1508
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3028
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2680
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3020
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2184
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1120
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1676
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1988
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:788
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1684
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1636
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2928
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:684
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2360
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2944
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:616
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1776
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:932
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1580
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1248
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2224
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2996
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2608
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2876
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2184
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1660
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:544
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2992
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2884
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1120
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1856
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1616
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2444
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:520
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2144
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2796
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2208
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2328
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2080
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1488
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:784
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2292
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1360
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2360
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:436
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1672
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2912
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1668
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1504
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2316
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2028
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2660
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2916
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1620
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2840
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2512
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2568
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3060
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1856
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2344
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2444
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2684
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2340
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2880
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1196
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1740
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:568
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2564
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2328
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2072
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2112
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1116
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1776
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1928
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1460
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1540
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1884
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:928
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2876
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1968
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2884
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2016
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1856
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:464
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:292
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:748
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1072
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:608
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3068
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1236
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3064
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1436
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1704
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1028
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1248
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2388
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1392
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:544
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1004
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1676
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:596
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1616
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2812
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2420
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2532
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1604
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:292
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1740
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1996
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:568
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1396
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2220
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:776
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:784
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2360
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1436
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1776
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1180
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2244
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1788
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:616
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1668
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1540
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2036
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:928
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:976
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1660
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1936
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3060
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:852
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2568
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:456
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1060
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2448
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:860
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2144
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2836
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1740
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1072
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1556
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2072
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2928
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:524
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:784
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1360
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:864
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1132
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2528
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2616
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1884
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2612
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2596
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2236
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1004
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2016
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:756
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:852
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2140
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1256
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1440
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:292
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2836
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1372
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2856
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1728
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3048
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1032
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1636
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1724
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2328
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1960
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:524
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:272
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1312
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1180
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2912
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1584
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1376
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2364
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1248
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2688
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1476
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2764
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2596
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1872
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2984
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1148
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2276
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3060
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2280
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2256
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2732
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:964
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2020
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2684
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:788
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1260
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:568
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1640
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2196
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:396
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:272
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:436
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1180
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:960
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2548
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1692
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1956
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1504
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1088
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1508
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2452
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1872
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1936
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2676
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1080
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2848
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1416
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1896
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1444
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1448
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2820
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:804
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1984
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2692
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:396
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:272
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:864
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1000
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1704
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2912
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2200
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1536
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2272
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2028
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2688
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1812
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2752
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2184
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2680
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:544
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2984
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1936
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2280
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2444
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2172
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2812
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2020
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:464
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1740
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1444
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2736
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1396
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:804
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3048
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1728
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2064
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2080
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2356
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1116
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1180
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1704
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2552
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2296
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1504
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1680
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2620
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2748
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1660
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2016
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1948
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1936
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3024
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1656
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2992
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1432
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:520
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2172
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:964
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1712
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2344
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2088
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1940
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1008
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1720
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2004
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1372
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:804
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2024
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1116
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1180
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1192
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1704
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:960
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1808
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1504
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:764
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:552
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2376
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2572
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2580
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2612
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1392
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2596
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1676
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2776
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2152
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:588
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2324
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1952
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1712
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:292
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2088
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1664
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2212
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1448
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1396
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1032
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2196
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2564
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1284
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1484
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:776
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:320
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:664
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1456
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1000
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1884
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2640
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1088
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2636
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1620
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2184
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1136
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:544
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2788
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2016
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2380
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1148
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2308
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2508
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1656
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2684
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:856
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1684
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1448
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2436
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:684
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2112
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1484
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2156
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1436
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:864
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:664
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1192
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2296
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1956
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:764
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1708
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2660
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2236
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1872
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2468
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1936
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2128
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1616
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2256
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2568
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1868
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2304
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2172
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:464
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:748
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2880
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1008
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:608
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:556
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2712
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:904
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2328
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1500
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:396
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1484
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:616
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2552
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2912
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:932
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1504
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2576
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1944
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2916
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2408
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2516
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2772
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2496
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2512
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2444
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1256
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2812
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1044
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1592
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1664
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:568
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1720
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1448
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1640
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:904
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1484
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1180
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:616
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2552
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1132
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2664
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2376
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2580
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1392
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2516
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3060
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:852
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2128
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1656
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2992
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:520
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:856
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2784
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1196
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1740
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2344
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2088
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1744
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2212
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:556
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2196
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1236
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2072
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2720
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:684
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1756
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:396
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1704
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:960
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1632
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2316
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1956
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2576
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2184
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2580
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2452
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2748
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2232
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2512
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2324
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1604
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:876
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:464
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1588
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1128
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2180
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:788
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1724
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2436
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1992
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2360
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2796
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2064
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2052
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3064
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1360
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1040
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2156
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2724
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1028
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1376
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1928
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2036
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3016
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2472
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2572
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2916
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1708
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2752
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2452
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2016
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2748
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2864
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3024
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1948
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2256
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:520
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:964
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:856
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1600
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1196
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:876
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1592
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1664
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2532
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1160
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1008
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:860
- C:\Windows\System32\ie4uinit.exe
  "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
  2⤵
  - Drops file in System32 directory
  PID:1580
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:860 CREDAT:275457 /prefetch:2
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2172
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  PID:2812
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:268
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "859274072174239790812964165381541045980505954024-18496725851960014439907553715"
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
356KB

MD5
b88204cd7388ab8365c0523c09c246da

SHA1
25272627d1c97bf676dfa86f93155d42150a5063

SHA256
8f3b1d05a50b0be3713a7de52cccd83379d3cc428aab4d87d53f0e18d32ff605

SHA512
942fe0db449ac142df9dcb378dcedc6aad8d915e03bc3cdc93527101bdc6f2b3801ca411d1339daab38b318fd600f8774a087cbe189bf71f5602011ab9bd43f3

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
C:\Windows\SysWOW64\svhost.exe

Filesize
356KB

MD5
1dcce96f2781f0a0bc580927a577d39e

SHA1
8a318eb53c0c49e3053d68f855d0ef05635fa64f

SHA256
074433a71ec830406a504defcc66ed9fb3020c81dcc6850b880904b0ce27a2d0

SHA512
b17f7a151e01ce35baa400b69ab390803cce3f3b066aa6bc6cdc220c03f35275ca9e6b9b413f0b66053fabf981b1a4b82a51a60630c16955c624591c54a3297b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
888163c21a88c26a26f99ff2b191e5e4

SHA1
0e924d4a824188e3899c15fb3a2c0760042050b3

SHA256
e602c9c773720bef06f2f803b14d5109fc5cbc44962b71cd33ed7101ebb64ffd

SHA512
34c8b47f4831cc5875ea0050e2445f1c3e2c17b76e239e907994cf3063c76c230466efcd66011ea62714d0303eabb81c8acf1e8989bc61538342f902301dd409

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
954feffb7b144d827cb4820e28302b94

SHA1
a054c580c1f75aea53770bc44226e73f89e25909

SHA256
b6c8a919b797ee583fad7b7e46ab01259f24b48dd54e1fb77bc2be0e431620ec

SHA512
b51d02ad01fe68e9efbb8b05e9c362df9cfa03815c7e1c85505ea341890ce672e36c1c42c5bfdfadb6d65aa22c3fb44c7722a847597863c88d1676f271400f69

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bee68005d7fc281a1eaf052fa1d9c6aa

SHA1
281aa146466cbc7f268453d4a94b37695543d2d3

SHA256
a2d7a3870b0c7324d3890e4537a498a9fa5a3a1ff2b59f579dcc07d8938e9531

SHA512
e4ae0d7622f45d3a96943a238b7f89869f27002ffdb47d2a69a0aedfb286254303334b0b17c4e40c4918bf650134c654b829d468edbd6542c5ea44cd28cb943d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17f790f2feedd812457e17b6022bbfac

SHA1
88b034bb7f4267e2d392730f6467932841197c26

SHA256
c6fabf0778db1041fedb3b89eff4ec0e04ebc9269b39e0224796042933336dfd

SHA512
4a59a08a27aa9826038809bb38ea73e7a58d78fd4fbf4049e1ff50f81bfb39d960a5b13357a80779546bd265d35d07ac1970cfc1ee1266ccc40e4b219fcea58c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7b9570e84530371ba93385353905cbf

SHA1
a474656c77fb6878ce937f8dc21a3601d8dc64fa

SHA256
d2da1f9d8c6f536369cbc410ee454b40eab1a96152b7d95c9ed8f740a68742d6

SHA512
384693b3008320d9aa6d9e19f6c521fa24c893f0b3298e28a652689777576924bac6c25cf4eb78d51f088130b5be23d3a720bd0a14fcad177561ca744cdca845

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b49b462c6beb1ff9185b7cfc6e6952be

SHA1
f9e15129a8b9ab997ab0bdbd7b91922c8aa562fc

SHA256
2e88b409282331f26dcfa443d1f4856e88e226759b7bf31ad0c82df3dac5dba6

SHA512
f4086b07e9ebe7404e91294545543dc1481c7ef119ddbf7a27723b842e9d975ffed4d063c2c28fc351337ba2c21b78932d88d273171be7c8dd65635156516fe4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
253a197b41baac60557c9f01b7f7e3a9

SHA1
105a64a209afe931370a62cd06e34c6e40d20e95

SHA256
ca3a4e2394105e90dfc57e924e12d72a79474218fa05a0977fbebeaee82bb5f0

SHA512
95da5bcfa9fcf17b7c79927b59ad3f92b6369bb79fca7e55a8f08ffc760c3a39da6a582d277eddb4ce2a3670ecab425b90fe915813d96a2b72de3c5b682ed1c5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9b23e7c0b0b39fff31bddfc38c3e649

SHA1
62deabbc3a7bf7e1ba4c2fc0709411b36f5ef809

SHA256
75c72a9c1da4b09d50223e8d7c416c0740575103550bea31f541ca8768c25597

SHA512
182c4db82d0e7e483ccc2534a2d192448089bea9584e83a79e7b576dbc83536fd69c9abc171156883361e654c137febaeeb50100a012e3ee85bbd199082207c6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4825a1c5591a1b3962ee28ecbe805e31

SHA1
1c30863bb21749e952610c2f0c685b88c51cec0a

SHA256
6567872d08dabd76b7edb375f8560adf5697064ea31407189df7c4a53a4d2087

SHA512
02b3462ed57bf87391044271e2ef76d3676749d0b5149ed99dcc5e392e41455e6cb025f823712a00e06e1fd894090c20bb1c01b535fc3136187e5f5909d078fb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfeb49e7037d8b12db7009f4b15a58b7

SHA1
f147054220ebe9189b37db247c211b7f61f1421d

SHA256
77c7a89218fab6506a635bfc5ff789d22d96a1bad3e5389d7c192a8462982da3

SHA512
11bf2a4590dca4fa5bc210ff1304c8970f01d59415e5f94179b99340e43ce36631a025aa4935d6cfff1783cfea75c0d86cd6d31c5955b9e5add16e5f69d49ab2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
403c16447da96ff7f18c4cc6bbb5e64d

SHA1
4c61b68108f612ef9dfe43b56bd2c8e6696cc669

SHA256
f006b8f18a88d964e5c955488ea8a7dffa5494212eccc4b8c28b51162a4a3a81

SHA512
9b76ebd50e5b03e6adf27ace642e3499e1a2ef455a243eadc2ca36173162141ebe4f7af530566d918eb273e0a45f64b844ca9b17947cb551ef120b372b939cd3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
563f1dff29085d470e1ca732424c6c6f

SHA1
6f69f433c84bf6b94816bd1b38550bc7c6c8226a

SHA256
f66eff7eed7985c9ab68175388240a296163b40119ddfdf36c10830baf480424

SHA512
767d3d5ff3500d9d8141ff1b427b240cd19945194bcc5b0645cf1e0eb770a86eea8d899367eca505c767d2a44189545f18a1c4c5aeea95e995fc94713c42dff1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e9cb1fe3cb950ea039ccb07087a9433

SHA1
d3a28ef385a07182cf30bdcebecc70c451677973

SHA256
ea2e8b23001b3676bc936a16c76a639569ebd184ea0769f4db67a8881401e9df

SHA512
d898b2aa2c084020d0cb02ba2cb33145a11f8051b90db1af83eccf74cc49436f2dfad4dca2e92d9c4dc42599f0c1269de165b455c130b9d2cab045b467b181dc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d06083bd5e714b909c9c3dad077ef3f1

SHA1
116b27e2812f3e73bd697a231cc120eea4cda2ed

SHA256
218b622870cb2683a5582589843f550170468a233291ce8c4b23f73fcc5153f5

SHA512
d9792976d1b40a84e204a567dd8c75732593a3b3940df90c61c23607fcbf68f2ed96a475e55da6a13300288efdbbd9f7a1ed775ae81e88cbe7186800e9327cec

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c812be08fdf22cc2ff3f625cc71179f

SHA1
89a66851b042cbf49dae16ad6df833f3a15f1f69

SHA256
fc5ad6e152e0cca59c959c708a3acfddffc4037ffa1a7ac55c583aa53f013e16

SHA512
07becbd0123788fda8459aa898e0cfa2a3230572038b3302c36c684cdc40505583da5b0d30326f1a6140eeb90867c2d9b78d6eeec6160a39cee7c20767938a1f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9186c9e6920e0e77de3100f7358c1d34

SHA1
5e2367b27e7ed4ac4053bcdeed766face1352602

SHA256
a1a3f5833eb12bc4e2c17b042ea82f9d64c159da15dcf459b849e32217a93d64

SHA512
f6a68e2ce47b9110f29753f140ec20b5e9ccece237ed4ec7727b3bd4936b7fcf2c90d78f2da8947eaca1656fdac0317e0bbfa9d9841b3d6da182f919df5b9cc1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d3c07ebf531a5001f0d4cf4fad58b216

SHA1
8d9233916307bf375bfe342798fb6d9cf5382ac6

SHA256
b96d7916531976943480fd20725c17e714538f5c0ecf349fbe6506875e4d847d

SHA512
d2f5b58bc2f91f827b00d25899d30ae84c92dc7d1d4b826041495ba4b495cd10ee89f69367c02894293f0a04d1f4cad236e0b2a82177d7c7ac54359908d74b44

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
174B

MD5
1971d71c62ea75c4f433476600caa4f9

SHA1
428e9b5498ba9746c123ebf3ffd86a14f73878f3

SHA256
3f7e7774532126e2c175de962ce9d620471f4ac75463457e1b93ab615abd4de4

SHA512
88667b670c3ffc78b442e0767ca0ea2c1409b8a2c5f18e69496831f7bfa7496e54843819fe725eda06de6deca9ba9dd769d4b5f3ade4126905ed3b1bb6f94422

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabA26C.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarA2DE.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarA4E7.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\Temp\wwwA1DB.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwA1EB.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\svhost.exe

Filesize
356KB

MD5
43927a5366af2de3ac767ce90d2be378

SHA1
26e596d477cf2842e48df3cea8a5357caadfbdc3

SHA256
ee9bc8a9f644a9c057c8f416ae8bd8fed04f338cf85c179baa3f278c04c1c2ac

SHA512
9705c0ff5c8f770f26ef2aa821e4e2baaa57be732a344b7f5810e2523e59dca4742b4087cc99fafb62a50cadba054a3dab4e998ff26becb41569dad2b81ae239

Download Submit
C:\Windows\svhost.exe

Filesize
356KB

MD5
43927a5366af2de3ac767ce90d2be378

SHA1
26e596d477cf2842e48df3cea8a5357caadfbdc3

SHA256
ee9bc8a9f644a9c057c8f416ae8bd8fed04f338cf85c179baa3f278c04c1c2ac

SHA512
9705c0ff5c8f770f26ef2aa821e4e2baaa57be732a344b7f5810e2523e59dca4742b4087cc99fafb62a50cadba054a3dab4e998ff26becb41569dad2b81ae239

Download Submit
C:\startup.exe

Filesize
356KB

MD5
fc5dd7ee45c9bd83c7c5771296111c19

SHA1
aed1c7abda7f13e85d433d1fe7a2795560600bc9

SHA256
d74281d75efd9114d6055812d53e1b53bf4c8cc6528efffa84ae891e584eca90

SHA512
acd48df091b0f7d8dee1bc1ec946449c11525f165fd5ab526c2964a45a97b9499cbcb477cb5edb7a406303e1cf7fe65aa839f841275d4efbdc54158bcea63e5e

Download Submit
C:\startup.exe

Filesize
356KB

MD5
423e215e5e3d4534f714453445ee8067

SHA1
79efb2171ce26da3abc58e8c62587fab920f5d44

SHA256
bb30229d05c35b0f22532f096c6e6fc712ceb03758aedf1dbbccf4c2d15dfd52

SHA512
a0addc5faf341ee369648670ed4cf1567215cf105ae34072cf2e682427e3ac6823ce1c757a6ecf52dcd91d7695d645f8cb042772e0f17fe4372dd142b1df528e

Download Submit
C:\startup.exe

Filesize
356KB

MD5
7288bf744c3e52e436ea82a70431db65

SHA1
10289721615c05d7d5f3ca250ac1f9aac1a4af59

SHA256
33c64d2336d92a7597c414a054bde884bb9e3d16e20eab32d428c25a066cf68d

SHA512
0d36b4dd04eb7ecc57abbcd90914d336d0d6dd1c61861f2ca925e6e624f957704f5d9eccaec87338c0ba05fe15e78242004844de95d3e579dc0eed7a9fc921eb

Download Submit
C:\startup.exe

Filesize
356KB

MD5
7288bf744c3e52e436ea82a70431db65

SHA1
10289721615c05d7d5f3ca250ac1f9aac1a4af59

SHA256
33c64d2336d92a7597c414a054bde884bb9e3d16e20eab32d428c25a066cf68d

SHA512
0d36b4dd04eb7ecc57abbcd90914d336d0d6dd1c61861f2ca925e6e624f957704f5d9eccaec87338c0ba05fe15e78242004844de95d3e579dc0eed7a9fc921eb

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
753266844d2ad9801644bced6baa2ed7

SHA1
56bc73bbc95c15aada155e73bedbef8a0432392b

SHA256
8dbfab26c556eddda716029f8c2e9f5b5f5802404c18f3b8de0454e83db8a990

SHA512
6f301bf4a6255353c16bae87847e66c9f06b81d97ac38c3bada812fa0f9d1d0be7850e0f5517ba18481cc2979a4cabdf8f73e11899214b6dbfadf5edcb655710

Download Submit
\Windows\SysWOW64\system.exe

Filesize
356KB

MD5
e7afec7234d896d4fc3cc327fda6bc15

SHA1
c556d5ffdeca65595840af5896bb2cbabdda447b

SHA256
840f4b595b6621a07f495891a0da7f749dc40b86d5a6d51e3cfb67bae95bed9e

SHA512
06d8025b287eac033e3a0d13919a23b3dc15fc67617ec60cb086998429cb7deadf4e7471767ce68c6205bbe7f1810ca8600a0bf1cd1f337ec0a51059659bcb6b

Download Submit
memory/272-161-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/320-109-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/396-163-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/436-165-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/556-144-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/568-1225-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/596-49-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/616-1098-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/684-1092-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/776-140-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/784-89-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/788-1073-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/852-875-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/928-775-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/960-111-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1072-953-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1096-60-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1120-1131-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1128-118-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1140-138-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1144-124-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1176-1076-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1196-1219-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1248-1107-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1344-157-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1488-1162-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1504-1177-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1508-1044-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1584-105-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1584-169-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1596-1156-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1600-107-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1612-148-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1620-1195-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1624-43-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1636-1080-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1636-71-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1636-1083-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1644-151-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1644-149-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1660-1125-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1672-1171-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1672-1026-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1676-1057-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1684-1079-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1696-112-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1696-114-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1728-282-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1740-1222-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1776-1101-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1856-1137-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1940-146-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1988-1064-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2004-322-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2004-54-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2008-1086-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2028-1186-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2036-1030-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2036-1104-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2036-425-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2052-1089-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2052-78-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2072-1231-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2084-116-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2096-1210-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2112-83-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2144-1147-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2152-1070-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2156-167-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2168-1032-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2180-152-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2180-154-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2184-1050-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2184-1122-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-1180-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2208-1153-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2212-142-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2224-1183-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2280-32-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2292-159-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2292-1165-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2316-1110-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2328-1159-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2340-1216-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2348-132-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2360-1168-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2384-1042-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2408-0-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2408-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2444-1141-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2444-1213-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2448-552-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2452-1201-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2452-1054-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2456-136-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2464-128-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2536-1067-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2564-1228-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2572-1048-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2576-1046-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2616-122-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2636-1192-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2644-1119-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2656-126-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2656-1134-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2660-1189-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2684-1144-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2708-1116-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2724-1174-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2724-100-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2728-1060-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2736-648-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2748-1198-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2752-1052-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2796-1150-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2800-66-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2816-1204-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2832-38-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2880-134-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-75-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-190-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2904-155-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2944-1095-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2976-130-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2992-1128-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2996-1113-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3040-94-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3060-1207-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download