2b163d858eb3d68f778923ba37eba2a18a211b1ada71085e723580adbb61a7cd

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

060798e07011c5b9cb44cebe483b72be.exe
Size

330KB
MD5

060798e07011c5b9cb44cebe483b72be
SHA1

31ecf287cebeb549b98cb65d2f3121a73f818e93
SHA256

2b163d858eb3d68f778923ba37eba2a18a211b1ada71085e723580adbb61a7cd
SHA512

515d51b2ad855d75bc34a753fe5d1ce40c2f38997f68cd58be7ec497156a55b594f33b2b985421a7c6624d6a6e2df67bffdeac6a08429235b1c7cd12294fb3d4
SSDEEP

6144:EuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qL3ks3ih1XGWB:v6Wq4aaE6KwyF5L0Y2D1PqLF3c2M

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1536	commander.exe
2796	commander.exe
2688	svhost.exe
2992	commander.exe
2744	commander.exe
2572	commander.exe
2644	commander.exe
2636	system.exe
2800	commander.exe
472	system.exe
3012	commander.exe
572	system.exe
3000	commander.exe
3056	system.exe
2896	commander.exe
1772	system.exe
1088	commander.exe
2856	system.exe
2944	commander.exe
2868	system.exe
108	commander.exe
1688	system.exe
1164	commander.exe
2272	system.exe
2224	commander.exe
2412	system.exe
2348	commander.exe
1948	system.exe
2108	commander.exe
1540	system.exe
692	commander.exe
1552	system.exe
1236	commander.exe
1980	system.exe
1956	commander.exe
852	system.exe
824	commander.exe
2284	system.exe
1520	commander.exe
2344	system.exe
1516	commander.exe
1424	system.exe
1596	commander.exe
1704	system.exe
2664	commander.exe
2488	system.exe
2816	commander.exe
2484	system.exe
2724	commander.exe
2824	system.exe
2608	commander.exe
2568	system.exe
2600	commander.exe
2692	system.exe
2308	commander.exe
2268	system.exe
1992	commander.exe
1056	system.exe
3036	commander.exe
1108	system.exe
1496	commander.exe
3064	system.exe
3040	commander.exe
2204	system.exe

Loads dropped DLL 64 IoCs

pid	Process
1464	060798e07011c5b9cb44cebe483b72be.exe
1464	060798e07011c5b9cb44cebe483b72be.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2644	commander.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1464-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1464-12-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0008000000012222-13.dat	upx
behavioral1/memory/2688-15-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0007000000016abd-27.dat	upx
behavioral1/files/0x0007000000016bfe-31.dat	upx
behavioral1/memory/2636-33-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/472-37-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0007000000016b83-38.dat	upx
behavioral1/memory/472-40-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/572-45-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3056-49-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x000a000000016c05-50.dat	upx
behavioral1/memory/3056-52-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1772-57-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2856-63-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2868-67-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x000a000000016c05-68.dat	upx
behavioral1/memory/2868-70-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1688-75-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2688-79-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2272-82-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2412-87-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x000a000000016c05-91.dat	upx
behavioral1/memory/1948-93-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1540-98-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x000a000000016c05-102.dat	upx
behavioral1/memory/1552-104-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1980-109-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/852-111-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2284-112-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2284-114-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2344-116-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1424-117-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1424-119-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1704-121-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2488-125-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2484-127-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2824-129-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2568-131-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2692-132-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2692-134-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2268-136-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1056-138-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1108-139-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1108-141-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3064-142-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3064-144-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2204-146-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2892-148-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2856-149-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2856-151-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2948-153-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2372-155-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2336-157-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1188-161-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2412-163-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/992-165-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2300-159-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2100-167-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2108-169-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1556-171-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2688-172-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2496-174-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\o:	svhost.exe

AutoIT Executable 64 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1464-12-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2636-33-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/472-40-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/572-45-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/3056-52-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1772-57-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2856-63-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2868-70-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1688-75-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2688-79-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2272-82-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2412-87-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1948-93-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1540-98-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1552-104-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1980-109-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/852-111-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2284-114-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2344-116-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1424-119-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1704-121-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2488-125-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2484-127-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2824-129-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2568-131-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2692-134-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2268-136-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1056-138-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1108-141-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/3064-144-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2204-146-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2892-148-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2856-151-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2948-153-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2372-155-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2336-157-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1188-161-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2412-163-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/992-165-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2300-159-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2100-167-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2108-169-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1556-171-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2688-172-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2496-174-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2216-176-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2008-270-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/3016-301-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2864-323-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2280-377-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2192-463-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2976-542-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1772-630-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2040-706-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2144-781-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2144-820-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2976-886-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2372-948-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1884-1024-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2672-1038-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2216-1040-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/1532-1042-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/692-1044-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe
behavioral1/memory/2728-1046-0x0000000000400000-0x00000000004B6000-memory.dmp	autoit_exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\V2VDVJV8.txt	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	system.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	rundll32.exe
File created	C:\Windows\SysWOW64\system.exe	svhost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B6BA3E91-9E63-11EE-A57F-CEEF1DCBEAFA}.dat	system.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[2]	commander.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	commander.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	system.exe
File created	C:\Windows\SysWOW64\commander.exe	060798e07011c5b9cb44cebe483b72be.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bLorjuYUN[1].js	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	system.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	system.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B6BA3E93-9E63-11EE-A57F-CEEF1DCBEAFA}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	commander.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B6BA3E91-9E63-11EE-A57F-CEEF1DCBEAFA}.dat	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\aa[1].htm	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\V2VDVJV8.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	commander.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	system.exe
File created	C:\Windows\SysWOW64\svhost.exe	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	system.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	commander.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	system.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	commander.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	system.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	commander.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	rundll32.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Driver.db	svhost.exe
File created	C:\Windows\svhost.exe	060798e07011c5b9cb44cebe483b72be.exe
File opened for modification	C:\Windows\svhost.exe	060798e07011c5b9cb44cebe483b72be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	system.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7AB516AC-7FD5-49FA-92D1-A1B3B4FC5287}\WpadDecisionTime = 1028ec7a7032da01	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	system.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	system.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 50b26c7b7032da01	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	system.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\NavTimeArray = 3f0a0000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0045000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	system.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B6BA3E91-9E63-11EE-A57F-CEEF1DCBEAFA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-15-aa-9f-7c-18\WpadDecisionReason = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 50b26c7b7032da01	system.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	system.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	system.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	system.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden = "0"	svhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	system.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	system.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	system.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MINIE	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	system.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e7070c00020013000b002a002f006e0302000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	system.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	system.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	system.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	system.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1464	060798e07011c5b9cb44cebe483b72be.exe
2688	svhost.exe
2688	svhost.exe
2688	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2688	svhost.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2044	iexplore.exe
2044	iexplore.exe
2044	iexplore.exe
2044	iexplore.exe
2044	iexplore.exe
2044	iexplore.exe
2044	iexplore.exe
2044	iexplore.exe
2044	system.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2044	iexplore.exe
2044	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1536	1464	060798e07011c5b9cb44cebe483b72be.exe	28
PID 1464 wrote to memory of 1536	1464	060798e07011c5b9cb44cebe483b72be.exe	28
PID 1464 wrote to memory of 1536	1464	060798e07011c5b9cb44cebe483b72be.exe	28
PID 1464 wrote to memory of 1536	1464	060798e07011c5b9cb44cebe483b72be.exe	28
PID 1536 wrote to memory of 2400	1536	commander.exe	30
PID 1536 wrote to memory of 2400	1536	commander.exe	30
PID 1536 wrote to memory of 2400	1536	commander.exe	30
PID 1536 wrote to memory of 2400	1536	commander.exe	30
PID 1464 wrote to memory of 2796	1464	060798e07011c5b9cb44cebe483b72be.exe	31
PID 1464 wrote to memory of 2796	1464	060798e07011c5b9cb44cebe483b72be.exe	31
PID 1464 wrote to memory of 2796	1464	060798e07011c5b9cb44cebe483b72be.exe	31
PID 1464 wrote to memory of 2796	1464	060798e07011c5b9cb44cebe483b72be.exe	31
PID 2796 wrote to memory of 2696	2796	commander.exe	33
PID 2796 wrote to memory of 2696	2796	commander.exe	33
PID 2796 wrote to memory of 2696	2796	commander.exe	33
PID 2796 wrote to memory of 2696	2796	commander.exe	33
PID 2828 wrote to memory of 2688	2828	taskeng.exe	35
PID 2828 wrote to memory of 2688	2828	taskeng.exe	35
PID 2828 wrote to memory of 2688	2828	taskeng.exe	35
PID 2828 wrote to memory of 2688	2828	taskeng.exe	35
PID 2688 wrote to memory of 2992	2688	svhost.exe	36
PID 2688 wrote to memory of 2992	2688	svhost.exe	36
PID 2688 wrote to memory of 2992	2688	svhost.exe	36
PID 2688 wrote to memory of 2992	2688	svhost.exe	36
PID 2688 wrote to memory of 2744	2688	svhost.exe	38
PID 2688 wrote to memory of 2744	2688	svhost.exe	38
PID 2688 wrote to memory of 2744	2688	svhost.exe	38
PID 2688 wrote to memory of 2744	2688	svhost.exe	38
PID 2688 wrote to memory of 2572	2688	svhost.exe	40
PID 2688 wrote to memory of 2572	2688	svhost.exe	40
PID 2688 wrote to memory of 2572	2688	svhost.exe	40
PID 2688 wrote to memory of 2572	2688	svhost.exe	40
PID 2688 wrote to memory of 2644	2688	svhost.exe	42
PID 2688 wrote to memory of 2644	2688	svhost.exe	42
PID 2688 wrote to memory of 2644	2688	svhost.exe	42
PID 2688 wrote to memory of 2644	2688	svhost.exe	42
PID 2644 wrote to memory of 2636	2644	commander.exe	44
PID 2644 wrote to memory of 2636	2644	commander.exe	44
PID 2644 wrote to memory of 2636	2644	commander.exe	44
PID 2644 wrote to memory of 2636	2644	commander.exe	44
PID 2688 wrote to memory of 2800	2688	svhost.exe	45
PID 2688 wrote to memory of 2800	2688	svhost.exe	45
PID 2688 wrote to memory of 2800	2688	svhost.exe	45
PID 2688 wrote to memory of 2800	2688	svhost.exe	45
PID 2800 wrote to memory of 472	2800	commander.exe	47
PID 2800 wrote to memory of 472	2800	commander.exe	47
PID 2800 wrote to memory of 472	2800	commander.exe	47
PID 2800 wrote to memory of 472	2800	commander.exe	47
PID 2688 wrote to memory of 3012	2688	svhost.exe	48
PID 2688 wrote to memory of 3012	2688	svhost.exe	48
PID 2688 wrote to memory of 3012	2688	svhost.exe	48
PID 2688 wrote to memory of 3012	2688	svhost.exe	48
PID 3012 wrote to memory of 572	3012	commander.exe	50
PID 3012 wrote to memory of 572	3012	commander.exe	50
PID 3012 wrote to memory of 572	3012	commander.exe	50
PID 3012 wrote to memory of 572	3012	commander.exe	50
PID 2688 wrote to memory of 3000	2688	svhost.exe	51
PID 2688 wrote to memory of 3000	2688	svhost.exe	51
PID 2688 wrote to memory of 3000	2688	svhost.exe	51
PID 2688 wrote to memory of 3000	2688	svhost.exe	51
PID 3000 wrote to memory of 3056	3000	commander.exe	53
PID 3000 wrote to memory of 3056	3000	commander.exe	53
PID 3000 wrote to memory of 3056	3000	commander.exe	53
PID 3000 wrote to memory of 3056	3000	commander.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\060798e07011c5b9cb44cebe483b72be.exe
"C:\Users\Admin\AppData\Local\Temp\060798e07011c5b9cb44cebe483b72be.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C at 9:00 /interactive C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\at.exe
    at 9:00 /interactive C:\Windows\svhost.exe
    3⤵
    PID:2400
- C:\Windows\SysWOW64\commander.exe
  commander.exe /C schtasks /run /tn at1
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /tn at1
    3⤵
    PID:2696

C:\Windows\system32\taskeng.exe
taskeng.exe {709ED255-63FB-4BEA-801A-0D5D29C3C1E8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2992
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\$Recycle.Bin.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\$Recycle.Bin.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2636
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:472
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Documents and Settings.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Documents and Settings.exe
      4⤵
      Executes dropped EXE
      PID:572
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:3056
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:1476
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\MSOCache.exe
    3⤵
    - Executes dropped EXE
    PID:2896
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\MSOCache.exe
      4⤵
      Executes dropped EXE
      PID:1772
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:308
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1088
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2856
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2944
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2868
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\PerfLogs.exe
    3⤵
    - Executes dropped EXE
    PID:108
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\PerfLogs.exe
      4⤵
      Executes dropped EXE
      PID:1688
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1164
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2272
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Program Files.exe
    3⤵
    - Executes dropped EXE
    PID:2224
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Program Files.exe
      4⤵
      Executes dropped EXE
      PID:2412
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2348
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1948
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Windows.exe
      4⤵
      PID:2100
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Program Files (x86).exe
    3⤵
    - Executes dropped EXE
    PID:2108
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Program Files (x86).exe
      4⤵
      Executes dropped EXE
      PID:1540
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:2164
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:692
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1552
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\ProgramData.exe
    3⤵
    - Executes dropped EXE
    PID:1236
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\ProgramData.exe
      4⤵
      Executes dropped EXE
      PID:1980
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1956
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:852
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Recovery.exe
    3⤵
    - Executes dropped EXE
    PID:824
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Recovery.exe
      4⤵
      Executes dropped EXE
      PID:2284
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1520
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2344
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1516
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1424
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\System Volume Information.exe
    3⤵
    - Executes dropped EXE
    PID:1596
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\System Volume Information.exe
      4⤵
      Executes dropped EXE
      PID:1704
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2664
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2488
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Users.exe
    3⤵
    - Executes dropped EXE
    PID:2816
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyc:\Users.exe
      4⤵
      Executes dropped EXE
      PID:2484
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2724
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2824
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2608
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2568
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2600
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2692
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:2308
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2268
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2584
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1992
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1056
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:2408
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:3036
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:1108
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:1496
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:3064
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Executes dropped EXE
    PID:3040
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Executes dropped EXE
      PID:2204
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1792
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2920
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2856
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2952
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3024
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1188
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2068
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyc:\Windows.exe
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1740
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2108
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:932
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copyf:\$RECYCLE.BIN.exe
    3⤵
    PID:1228
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copyf:\$RECYCLE.BIN.exe
      4⤵
      PID:2496
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:288
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:320
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1108
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1932
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1960
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2280
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:568
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1772
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1684
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2040
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2144
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:2788
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2588
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2980
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2352
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1884
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1872
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2216
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1988
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2728
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:2492
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2744
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2684
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1468
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2632
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1560
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2636
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2296
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2564
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:2796
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2736
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:320
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1992
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:928
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1928
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:1340
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:308
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1592
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1996
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2836
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:680
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2088
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1584
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1520
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2844
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1360
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:2092
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2624
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1700
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2144
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2552
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:2360
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1808
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1464
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1264
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2292
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:472
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:284
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2288
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:816
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:308
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1296
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1072
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1640
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:1716
      - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        6⤵
        
        PID:2164
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:568
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1052
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3052
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:680
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:880
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1520
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:824
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2072
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2476
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2276
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:560
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:552
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2964
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2280
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2532
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2824
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:1480
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:676
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2156
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:560
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:928
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1076
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1344
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\system.exe
        
        C:\Windows\SysWOW64\system.exe copy\startup.exe
        5⤵
        
        PID:2352
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1164
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2016
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1896
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1176
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:108
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1960
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2056
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3000
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1344
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1168
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2352
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2152
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:692
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2492
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:736
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2840
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:780
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:340
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3056
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1568
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3012
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:284
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2896
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3008
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2932
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2324
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:536
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:748
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2944
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3036
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3024
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1044
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1188
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1740
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:824
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2244
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1688
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:240
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:768
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2072
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:524
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:624
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:268
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2488
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:472
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:328
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:604
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1792
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:796
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:860
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2832
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1148
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3032
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2448
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:536
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:108
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:616
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1132
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1524
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1996
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1968
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:680
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1556
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2908
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1164
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:880
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1520
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1904
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:892
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:768
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2532
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2632
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:860
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1792
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2540
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2932
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:240
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:552
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2068
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1716
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1188
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1344
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1884
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1556
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1584
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1204
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2208
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:692
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1520
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:892
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2000
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1708
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1872
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:852
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1476
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1616
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:868
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2552
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2736
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1264
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:320
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:604
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:560
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3008
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1076
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1340
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1088
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2260
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of FindShellTrayWindow
      PID:2044
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:536
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1540
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1192
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1044
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:568
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:432
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1524
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:288
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2036
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2016
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2120
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1204
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:544
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:692
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2492
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2708
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2308
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:780
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3056
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1612
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3040
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2768
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3060
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3008
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:968
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2948
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1664
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1604
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2596
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2744
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3032
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2336
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:580
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1564
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1132
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2364
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1684
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:288
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2908
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1892
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:880
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1164
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1588
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1988
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2740
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2196
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1372
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2680
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1464
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1536
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2552
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:736
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:868
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2572
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2736
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:676
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:284
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:604
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:968
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1176
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1076
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:312
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:240
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2596
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2904
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2892
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:552
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1908
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:108
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:340
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:828
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:616
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2056
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:568
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1716
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1356
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:912
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:432
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2856
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1168
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1164
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2424
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2072
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1708
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2844
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2960
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:624
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2952
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1872
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2248
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3040
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:328
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:472
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2956
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1340
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1780
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3008
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2160
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2668
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1624
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    - Drops file in System32 directory
    PID:1468
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1896
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2996
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1404
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1316
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1192
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2088
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2908
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2352
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2712
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:856
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2900
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1700
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1740
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1576
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1124
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1372
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2644
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2680
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2652
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1352
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3048
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:860
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:928
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2156
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:284
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3060
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2896
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:548
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1608
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1516
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1152
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:580
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3028
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1876
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1144
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1996
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1540
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2860
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1404
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1356
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1880
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:912
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1168
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2908
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:932
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:880
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1164
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2992
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1756
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2728
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1740
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:516
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:892
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2824
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:780
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:624
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1264
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1056
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2248
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:320
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:928
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:472
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1772
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1340
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1664
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1780
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2640
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2936
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2892
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2428
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2112
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2456
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1876
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1748
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1996
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1948
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:568
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1108
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:576
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1228
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:884
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2340
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2244
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:932
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2992
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2740
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1480
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:516
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1124
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2344
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1616
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1816
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:624
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2600
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1264
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2152
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2008
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3040
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2508
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:992
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1184
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1076
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:976
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2160
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2596
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2468
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1736
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1092
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1908
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1952
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3028
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1732
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1996
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:816
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:3052
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2056
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1640
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1884
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:680
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1868
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1968
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2592
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1544
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2728
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1812
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2732
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:692
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2960
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1816
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2188
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2952
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1964
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:1792
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2736
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:604
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1488
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:1932
- - C:\Windows\SysWOW64\commander.exe
    commander.exe /C C:\Windows\SysWOW64\system.exe copy\startup.exe
    3⤵
    PID:976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\SysWOW64\system.exe copy\startup.exe
      4⤵
      PID:2976

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2300

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:992

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1556

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2216

C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2044
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:275457 /prefetch:2
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  PID:2896
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1516
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  PID:1468

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1532

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:692

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2756

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2864

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1876

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2348

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2328
- C:\Windows\SysWOW64\system.exe
  C:\Windows\SysWOW64\system.exe copy\startup.exe
  2⤵
  PID:1168

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2860

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:3064
- C:\Windows\SysWOW64\system.exe
  C:\Windows\SysWOW64\system.exe copy\startup.exe
  2⤵
  PID:1264

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1508

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:552
- C:\Windows\SysWOW64\system.exe
  C:\Windows\SysWOW64\system.exe copy\startup.exe
  2⤵
  PID:2056

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2444
- C:\Windows\SysWOW64\system.exe
  C:\Windows\SysWOW64\system.exe copy\startup.exe
  2⤵
  PID:2056

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2176

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1760

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1560
- C:\Windows\SysWOW64\system.exe
  C:\Windows\SysWOW64\system.exe copy\startup.exe
  2⤵
  PID:2240

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2408

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1896

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2884

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2668

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1592
- C:\Windows\SysWOW64\system.exe
  C:\Windows\SysWOW64\system.exe copy\startup.exe
  2⤵
  PID:2288

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1296

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1980

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1684
- C:\Windows\SysWOW64\system.exe
  C:\Windows\SysWOW64\system.exe copy\startup.exe
  2⤵
  PID:2820

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2108

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1512

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1808

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2008

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1896

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2904

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1960

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1632

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1178558364-166454057013309483411779588551-167441343732230081020576174711542734670"
1⤵
PID:2964

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1511892660-1194428758450567129-6928285041595627825-1456615937396931373-751488061"
1⤵
PID:1160

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1884

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:996

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1756

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "181453447616042159102062128565-419258355-1013732517-47708653-1212691684716739764"
1⤵
PID:1812

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1424

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2268

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2552

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-105779811921391852791696180779-1416556829833902629-10331326042366826461984934881"
1⤵
PID:2864

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1188

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1803176007-1130997042-478344600-1815810635-13444426791679336278918782842-1927962601"
1⤵
PID:2040

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1506888926402366984-408900474708384921828716150-1094362723-8056009611334690319"
1⤵
PID:2268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-582656991-19158214411080505842036112531151597572098311-70701008505904717"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2070748752-2116895306-1001395421-1587862268630918516630794430-1505784188-1692398221"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-954074785967070258-1785111245-296228358-73004774-595593902-21150475111534097321"
1⤵
PID:2192

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14504629831360969032-1902723622-15873340321714820453401514196-1953426845-967091522"
1⤵
PID:2456

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-478791935-146314404511473824961870822237-2016176020-6567751911006688246930354864"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1768749455578836944-817323414659653202072746276-111708371301575282751365480"
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "246652037-2114508667280154299400198141683856031174529234-188972697-967762373"
1⤵
PID:1544
- C:\Windows\SysWOW64\system.exe
  C:\Windows\SysWOW64\system.exe copy\startup.exe
  2⤵
  PID:1756

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:2700

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2096606501-1796329370-41531454206665896410528434431418004757-2044749062-776136909"
1⤵
PID:2644

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "171550487-842260912539054392-1151156320-852888683-2293803511447231672378556538"
1⤵
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1753563048-1179348685868197405-1706244206180436183-761477592-335921680221401073"
1⤵
PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1939719231-175976557-422384165-46326021-1771812109-5630670522131915738-1672503288"
1⤵
PID:3064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1841184864-53910684196551832-818979146-12817509741183968499-618362776347064668"
1⤵
PID:1736

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:3024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3516537751676164269-7019438431898948997-1167128466-680323408-1200252583-1938680959"
1⤵
PID:1096

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "36224128-528795661-282204105535023564-1377255726941188779-1972790429-689275297"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2012775164-5280124321500390185-175431854350785283919924377462120519332-1654230446"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1062913482-2073651714-3780402461868273943-118508004-210564321813570920312144264327"
1⤵
PID:2628

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1501555565-946558426-1313036348121417312154762106612581954291328104010-108323444"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "121329219412310662721260501032349743682-1611698226-2555045221511579345665205840"
1⤵
PID:2008

C:\Windows\SysWOW64\system.exe
C:\Windows\SysWOW64\system.exe copy\startup.exe
1⤵
PID:328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "221256934-1067916593-12275002451230456181104495344017428955729451336801839496454"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "59918380-683422640-1253353852182102745-561791467209078698530378491-219359274"
1⤵
PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-504614224-1686312701-125184113-110049683621516752-429640107385094637-536426187"
1⤵
PID:2820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1370742404-1476529681349479100-1781157713-1779805604-9142767371153147167-456469731"
1⤵
PID:524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10760324102111383736-20421280482075026230-824749310-1532858357-1837532102591504139"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18406376631748699347-1807443384-3001343111134992881-12869314272104271620575133355"
1⤵
PID:2980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12839525342020598320-2081720978565098093-811229817-7344241582466316931023899543"
1⤵
PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-913249119-958583942122013433-431820046846626921651237664-998772943626334246"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-746726191171506602418474346-1991427635-4625809661830190351-4631262767449227"
1⤵
PID:1296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16801047931034145406-681994163-15618857611854532215528959101879744287-47106143"
1⤵
PID:2280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1054662335-11655389951664289943-11375072196547248771902181159-314453500238724782"
1⤵
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "66129292-289344131-152472992154782407513847128-1285367206-1073211703541396731"
1⤵
PID:680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1815105665-2068255466-17254346471446024022-117279445614672209722022698474516749461"
1⤵
PID:996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1429302268-7972543141456172131-270384231126648215-813929917-841044747847489684"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-118417465-646216457-12042169428193207771216240904-535833588963782122252265911"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "76790208059418910-1197902278-503573702428433503-18900267181644878458-848550856"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-534739943-2020056901-1303046027992091842-127645220220158174701075643112002964172"
1⤵
PID:2636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1152789538-5406325-15893623612117729759-4269746441747994661813418821315253238"
1⤵
PID:1860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1627278087268512497-550573818-727232656-1279700216-14457793789727691511346633161"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2120078383-1572717616-1046783021-10705308571822762403353721364-1917035695-847845771"
1⤵
PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12920139271258430217-301263699-629147587-17389422641571449417-1261105141-1958029920"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14341057661775797706-111913152710054926311958810063705686476615631801649658069"
1⤵
PID:308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4427556171246528023961238951-1726384521384915084-11649218243376445391776585026"
1⤵
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-299389034-1089363224-2004007106-389183494-1515156179998654321901549762239904366"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2136099772-76743719-223054410-1778954113-293658857525852791-1867971316910299231"
1⤵
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2099912827-21244712321999923066-141836858912191812941301796423-16651719521828673130"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "624521277-2889943-10851161101168776014-11814567-15794058864269983291195000497"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1625802822-1116214815598082330-1384196754-13137652871059799513-101395572-1157196705"
1⤵
PID:2416

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "797676705-901358091-423252173125915463-169105777-1426827879444954593-294327302"
1⤵
PID:2120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12381531-155688713617816109861565655311-5111026211858711635-882164558-735334446"
1⤵
PID:544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "969652289-1694662129874993590-1103037653449025387407698130-1191811148292234600"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-414425723-1826827607-577964832370992865-18762645401165455186-862362464-1897557978"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20706302621499444281-838019614-10463457-20384657261318820666105502063-1057312449"
1⤵
PID:1424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1505692152-113134880150099939816074823281756303395-13939566762109203911630559228"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5156913512080768220155357361910536500931886709604512262340-1417404163-1874707085"
1⤵
PID:860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16723961-265131293305261611-763961243-6993232848485026341961702160103060419"
1⤵
PID:472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-490407322-701181510-130172358934913963454757292395865531-557083813328806184"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1735106146-2071778748-566372409851849756-13134476872087202692-1591766094-307887575"
1⤵
PID:976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1040610791-16415041211248092022-14739799751482370734146782921-381712344118129058"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-420820403-5504790171621253313-1848874912-855314332-2140424143628203185-1828594705"
1⤵
PID:2316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-81090312-2042749427-181296896360927014-789721922102806878-1163952922-1720168773"
1⤵
PID:3036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "183945493334075976671734071118173279331208314959-5836517991302149001-1094139631"
1⤵
PID:1564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2027410561167918232450013910-18109561601777291480-431973586-205553339-1881041900"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1195803365-1636717435-65889812-1217548635-1841162861-19709428211348306641-1310393013"
1⤵
PID:1880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "48767580056815456214291771771214325692-1881308040-8762231911521485546-1892308257"
1⤵
PID:2836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-139859805-1250567543-1977994434-18902023371010174231-15893970511396953215-1307957246"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "47164257420928840811175143097-5611385716919667811064651939891499402-1273422925"
1⤵
PID:2484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8313474641088060399-1100924300498906566-184300582819040178881854209908-1136349023"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2102064408-11727343315323805351960666278-98685203-192512740821353712982083214992"
1⤵
PID:1360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1565246001-125607281371965321-1143820372-3094805251898037036190096371930430292"
1⤵
PID:2152

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19316855151037591388239538379-1701407247-1680593089-1525010602-1443686752961452545"
1⤵
PID:1792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-740622811-1080106989-383659217-461752398-813918524-1381427492050631166-869116138"
1⤵
PID:1088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-898963211836297611606986318-130156115-1721831708-1284289747-1704121346-1130491357"
1⤵
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1305046451-240801297873251230-1142695743-236401136-1982587546-1601389273-632102106"
1⤵
PID:2744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1401933443-1068341260-1584968381-5704254401654577804-1760178109-1266406567-248540681"
1⤵
PID:2872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-181564987459638579559686354-1597907073-1539230309335783538-20774257581871348444"
1⤵
PID:2524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1119517883-1307205388-228671505-1633581919-612063882-534636100-1411706146-550653598"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-268845628-306491396-160385933-369313370203368693873673395519552614231125819086"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1316182641-867668842-9614944261495612921-2030486772-1762874141742495330-1705110651"
1⤵
PID:680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1304285708-684233839-355316501-65493403835293131870455876-977823659-2082749883"
1⤵
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-134112247213954256145036909761659105299-6666589612112300397-7589868131266196528"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "331762754600218286-1915711323211923293720973927477651578452133681060310325428"
1⤵
PID:624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1995080968-347070489-3891513811614292157209507634-992764191-1108832376-1980820943"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1404619476629183686-1625258012206937288816955018317952560735579550551970624462"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5789045801318766522456721058-2098608305306989036-1445416898-302418021921913370"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19063821941485431036-92003731159344542216463764241229683071-1009110022032363364"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-54986460420694034219258237731485622309-1244464803-663959576-187064936-501865062"
1⤵
PID:1732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-679046648322069183-1130505655248361726182839496918539319601819288755-1821941949"
1⤵
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11344914164212584042402851601865030331-1828778626690242690386192320-227999265"
1⤵
PID:1188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-140447451914758613951671256315-1177329165488846595-628143166-13064671151616550717"
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-570755010-70396083119294238535786564-4864700271006367773-9252583951937085993"
1⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-689707221-830916669-14712388411160067209-5850652901830261418-9863192931609766167"
1⤵
PID:2536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1895928868901080062-1804987217-13939588551815194881513903899-1888508912632990973"
1⤵
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9833735201376475405-326639482-765305585-586373736559924641-1072792692111462162"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14753648741262413576-1660740209-69166398513112749561420340788619748269-2078307921"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-505298575-968794562152311956-1249572799-2119618479-17036145091520957524-1780145889"
1⤵
PID:676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1808441311793526775-22459025220003511583681092572143738695-1883417786-2087709927"
1⤵
PID:968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2053138722115784186742554933446783509-13113196036766904804275322531756761374"
1⤵
PID:1632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8300875381984544197-2020397648-771032859-1184650608409674690-1248111178259122592"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-521671045206658212184732788-1197936676-389287136-1352432619-968794157-499501660"
1⤵
PID:828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1742518534-5169174981838869211-156644906510832501291937909830-1492646249514121266"
1⤵
PID:1684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1517159113-952054077754867691-1184903505-2069671287-1444952346-697110844588481923"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1873351562-892305176-152739613611154884501660102150-985387368-1324535776-111017863"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1100700750-1668456698-1682186033-1756792237831603250-1461762202-762367261-740160623"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1903601223-138080160813473130691507479478-15965303611547562784-1793075642264492821"
1⤵
PID:1164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-762560000305234450855392758-1466370361049566470-1139977486-3677723161630495846"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9223164641351597526-1091355791-205506371443613385-513999077779325353-1063651810"
1⤵
PID:1740

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1542220053-1317557162662844258371320988126384745913630982011828603949-1649504680"
1⤵
PID:892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "154477120813100113785493368737602526101139283906-17723104341914269941583471024"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1376934584148315547-16145403481362851582-1073360032-2050094230541713050-1480396415"
1⤵
PID:2868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-412120847-1519054982-220791567-117238545981891190-1339697108-3086046952146652458"
1⤵
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1972533932-183567984413099546521365721775146768617893510093114376191831611437234"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1613598936-108551445215541418321774641805556829082-69565608-1466005259-470508332"
1⤵
PID:2208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3850676-3837479651156369277-1957200273-442826084-14439425851328948379-29304008"
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin.exe

Filesize
330KB

MD5
5901e4e6f3bcb4f87a377dd53e0f06f3

SHA1
7b9f40f3221ee498b947f56e616c0a64f36eaea0

SHA256
986be3981a3fb153e156692456ad90fe2ade0a672379b4bfaedda283335f4da5

SHA512
d563872bbc1030dfba17dbbd420b8287877676d32073571f7de3b540f417845fc677a8338f3d212e2a6e90380b8eeb67932995e8c236b155d1d42e3a6168de48

Download Submit
C:\Windows\SysWOW64\svhost.exe

Filesize
330KB

MD5
e63803e77390c7bbbc1d4dbb5753adc1

SHA1
cba350c1562982f3b21ddf69097fa2bc09c6f7aa

SHA256
0dc04b1fab79c86f1930112fba46da409f77ef472d832885aebbfc562ea174ef

SHA512
d8a425823c99354967929c93398154b59d3bb4c46dcd10d428ab0d6ef652abb784d0e4c59afaddf6e8460833b0044ddf0b3625665219b7a36e77b3e4440d12b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d6a1f16295b39fcb56fdc25ac7aa981b

SHA1
87a4a37d3536e150a95743dfda0ea9a4c19cfa3c

SHA256
cdc1b41413238d8989e89f3c3ca8369abd033b5c8f4574f7acdad5d4aedc562b

SHA512
16f6c2fd012a402216a1931d906858033140eede4fb072bb2f05e31cf88da43f4c544db1e31f329b6a230a1673c71cd4bf1824d9b0de9235771ae1466dd3f520

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
aea28f3c74e2709f6fc3c8418d867ee0

SHA1
191742572000c2bc3f3ddac75f1ee2ee29f71d42

SHA256
1d4e2ce14bea64e90ab0a6a9d4ce6670fcbf9b9e6ecef0bfa8fc69ad04f62daa

SHA512
2790665f38d689b9b310b677c94df2ea15e3c381059e7085e3cb4523abeb68d59fb1f93e286ac2de80a65896c48218ba0c74d40be99d4c2b7a3ccd2823d0e004

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
14ecde98587fdf385c0d6cd9caee50e8

SHA1
3c409b7d24b0ba848b7488995c1f7510df8cffff

SHA256
e1466e67b2a9f15253832805b47c7d1fc3f55a0dca2bbc8da679c35ca0029fe7

SHA512
5031f131da3eae17e910887e177f546533aa3c51497f4a12346706785045739ff71afbab475a872d5754165bbf61ecaea35202b19251c27ca6d238018f4c81bb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9dbabfaef5cb5fa9fd67e53627235f4c

SHA1
0c9cd5cc2e46fe8282732fbaef5ec89474367c50

SHA256
25a1131f7f2c9e9dec5a6c7522aae6f1e5209035264133b537b311aa02e20cb2

SHA512
c96bcc4d184dfdcec8e66d169d40a69b2dda0be9a0396dd7d9f7938257bc136882a9509cdaa223d4df36e4979ec77039b3eca94d5365f0fa28643ec574672e85

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3bbe1b4611f43db227bbc62ab3694e43

SHA1
640f7910cd218c6a734ce705d97b25c504268cf8

SHA256
61e4d12cf09609023ce8d4494f597a6fd3f891c49e6b1a665bf0fb4a98fe05b1

SHA512
60e48db11f10ba9e9c3b3da7eca285c9c9e8f30e9cbb7610302bfe6a0cea02006ada49f8ade5e7d5010bd31df9b52b710da8039710887f173d0c6bbfd8073b26

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2f1b93e2ad9f78ad77f2fd37fa7b34ea

SHA1
cc8cb27c6114a943ece2ad2747e8d311ff56d529

SHA256
fe3d9e4a527b0863087115ea9d1334732c4a859260061c7d1fa473e1b9f8f84f

SHA512
1becf215012d31106564781a101aa96e39c574edb289939e69d2f9256b6157e815eed0852979a0b79513c49d16372cb3cc9407e68a52fa9af6c3bd0f3e3bdbca

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f7bc8ff1d7fd5e1c9348958f9fca70ed

SHA1
bc7c51dc739f5692a14446d4c70cfac71a88c5a7

SHA256
a1d69c3c2e1230f8ac6a51a4e42f1d611e42c8ff5bea66973b48bb9ae2e62b54

SHA512
a9b32108fe7ce7264589a976f254d0e7e276fea5801dab07c4d992af93ee8bfe03e54605d183cbbf3383be1cd0acef00eb34804a2cfb026b3d52c1f509f5164c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d1da3480b7f59c8f8b5c08a57327a26a

SHA1
f9c1704b1dee42c0888e13f2f2a6192c44783a15

SHA256
55d75bd19072a03a90023789092869e00628b955d9e730d7534be190d14e1cf8

SHA512
4ddc5fe6fba59856feb797a42d4fe7c50739fc4447b6d2bc9956fe274a2e8faa8d575e9ad3a59c7697889390f272de57146a13ef1dd57311887b630842a96945

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a3053fc33516874c46231d6a9266c587

SHA1
bfdacaaffaa1408e4f8d7e51718d3b84f8fd2459

SHA256
1abde1b994def5f8d23fa1f83ba9fd649df5be2d92a7371bf8c225c57d777250

SHA512
e225cfaa951fce28dc40d6a95f27be18bfa08762cfa316dc26c788e536a5a6161818d7739c168ec2094f4144a431a9e3a09a1201466021466b6400640ad7345e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
180080734579b2d7e4474f40399853d5

SHA1
b4842fda7765ff95fa97125b062aa6410b829041

SHA256
b1693124bba982b2b1908aac6303ae5b3670c2ec224a105660788392d1adef7a

SHA512
cc4bcebeeb3dbbd2e5be64c15a2b1dbdbd5248b0eaf88abce5afc7457367559da10235e5530bf55e3591dd65361c79196963bcee8db1faead3c5a382b83af43c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
17639a9a6387baff725f12f2fdf4ad78

SHA1
281af3a78bad610a88865c5bbc171237a35a44b2

SHA256
885682c079ee828ec724b0e7f3adac2bd066b7a58e8357730e26c92231fba71e

SHA512
52ceac965d84c4951c86cd2ec2de0ac693c6dcb172803d994388f021f53ca5c7370d4f403c1b4f2d43589a572e9201440e46e5acdbdf4284e6c9e1339da2cfa4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
0dcf0c1386ac684718db4ead337a5ed7

SHA1
98f117606d7913faaeba74eaa595cf083566bb00

SHA256
b6257784301e863a0e816a0fe5f6229aaf484e5b1e2a00b12ef78e5b7cbae1e3

SHA512
8e137df74e362b9bed2088d5cf6186bc598ecbd99cd608d99dc056f710118ce484275715ce4067c810befa939f953924a9f6845de2ff0f91b7a40a9de0d04505

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
235cc464cf48a2c33cdc0f63ba5cb46f

SHA1
c34a5cdb2aed3171b4f62f3496a7a1b04d4e7995

SHA256
7c263f5681194a08fac682935f7b151ab7e8b9fa509f29bd56b59a41cd84e783

SHA512
6dd119ae16524d4e1d69864b136397746c55a5aac0ea98a9e69722b0d2cf0d31bf3a2cfa4137c49dd7f92d1d59a864e15fd218dd844ded8887d9009561d17633

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
80e7229beab2d71c1c082627ef08586f

SHA1
effdfb6bc049a867a33d4a866c8a66dcae1f7baf

SHA256
1144922745d801d3597bccae3f9eeb6d6baf4289b51910100e05eaaea9058f66

SHA512
5d61dd6d9a4fc8ea995723fc926c33499f4d22dfaf3a434d6207742d42207a56744224a9299f1e4129c212867946efc36f7f9e4552628375d93d211e3c45e82a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b55349e64e5bca45b01dcfb392a020ca

SHA1
88d60d9b65df17214705d74f6a544c799e174a74

SHA256
ff7962a12a98258253ac9459edbcf065c2fc070cbf2b7e9d2f6ac3f4c01244b1

SHA512
021bfd34935d7dfc251c690490982921db634585a37153bc0b7a43fa87a858e037f32913f9c725981d49b7d4f2ec03b959787adfef643999d3a62506b6a3a07f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0cceb8305db3954d3c010176bf8572af

SHA1
31bfd90beeefc073b803ab41bc739d151f7c8623

SHA256
42dc31f43dab640b7b1f24163aa2d3086430ed99ed6b89f122eef861cde890ae

SHA512
34eb6514f2ceaee68cc8096d35e4c039cf9b358c9c8b0882ceb36a9dd5d391871d6b95224ec8f894140ac9011f6a7977b15a6f1a3551a009e7d31b811b0aa784

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

Filesize
4KB

MD5
169286cf7ef23a3833b52a153f337a4c

SHA1
de9e7f204a72274fec7703d7d121944e1a5729ee

SHA256
a85969dc30dfeaa425b9423507abe537e4aab0f8bd43d893a0f11038a134f236

SHA512
eec83d07847dd2c69abec16b23f42e798bc975e7eff3819d57823dd0f43c331f1bf093a9579bb7e2c9c1c53cd412dbfc85ccb58597a9e702de35db62d83fcd43

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
174B

MD5
1971d71c62ea75c4f433476600caa4f9

SHA1
428e9b5498ba9746c123ebf3ffd86a14f73878f3

SHA256
3f7e7774532126e2c175de962ce9d620471f4ac75463457e1b93ab615abd4de4

SHA512
88667b670c3ffc78b442e0767ca0ea2c1409b8a2c5f18e69496831f7bfa7496e54843819fe725eda06de6deca9ba9dd769d4b5f3ade4126905ed3b1bb6f94422

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab8C9B.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar8CAE.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar8EA7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Temp\www8B7D.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www8B7E.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\svhost.exe

Filesize
330KB

MD5
f4c22516a7364b58e548bb5ed25f46f0

SHA1
802363f0b56abe906f79bf657e5cf3b3ab5093f9

SHA256
b11b0bb3df8fad0e7bf5430ed88772cf16590754f3aa6d3ba3b5ba64d63f92f6

SHA512
8ce46cf68dd72e88158e59867a3266ba3143bdafc803aa80b3260afb26ada05993eb651d3854836b71b60351565366bbba89b684ace4aedae35b1c5d2c1eb775

Download Submit
C:\startup.exe

Filesize
330KB

MD5
d01b01c41cf727eeb84f5fbac5869712

SHA1
c6b60da38f5e837116254cca56f65d7c4b2c561d

SHA256
9ad77bb1f0bca9d1fb5eda5b5a53ec059c0177668da531650cb6383c9eeff7e4

SHA512
b162a95cdd087ce0e2dcff0649b3e98b5c11a01e045c701b2c832fe2a794d7fea44ab75c738b76476537617cdfdc846feec02bd77aa538c8497c2b3d249cc6f7

Download Submit
C:\startup.exe

Filesize
330KB

MD5
a5205c6f216148edf97dfdbfae91a0c7

SHA1
702ed5d0d71d5c0ceee9428ae306ac460a35bd5e

SHA256
80784ce3a6002990de4107e87be06409178351a6848a4b9519300053c28a851c

SHA512
487a1201dadd037216780ec971256a244d94b8efc79e810d56b0a7a87b69c0c1f544fe91d516c039642935375326efd3e05efd707370a66b022e59f483d81801

Download Submit
C:\startup.exe

Filesize
330KB

MD5
55a4fe527d993e6f621a0888dae3bd86

SHA1
a8eaebe07717809c97b55eee0f8a5f8c284d2a77

SHA256
5730f3d7402950ed25a5e7fb260fb85f1cbd50d000ac47dba48d70a29503959d

SHA512
e3743044734d2c2a41600b04b7a1d3b950afe5bc9a1b12e87ccd4f7718358b4400be56d7720e9738649396b28bed4beba227fc0747c5ea73e3b713333b58389b

Download Submit
C:\startup.exe

Filesize
330KB

MD5
10025370b06512fb79cefd306ae0150d

SHA1
81aa76141dc906e1da07045f56aa5e752ba8f654

SHA256
abf2976b41fd2a8e6a359e825204e0f4f1c6e9a1e8cdbc1727f2a975bd2275e4

SHA512
ae44622bb7d8d9f30652bbe7db72b237d10003887761c5f94c1123a92adc150f443cd0676d860d8afb7bfacf2046c1b9cfe3be6e4645b657b5ffca24d3bc1181

Download Submit
\Windows\SysWOW64\commander.exe

Filesize
295KB

MD5
8aa05d71db5decfda64a7c641e3cf078

SHA1
9a2a830d4f0d89710e803369f1e6b33aa9856d67

SHA256
1d30fdcea7fc1e57ff791ee69483d78ec6e8818421aaeba39906166cce1444be

SHA512
84ba36985c3e1c1b90e51b945a62b58bdd2f9f9627fb6ad7354470c86b7979fc49724945fdb42d62bf8f85010c92ae52ceb43abe44fad71dc999f2e591562fbd

Download Submit
\Windows\SysWOW64\system.exe

Filesize
330KB

MD5
19fcdef4657631f2a21df664bf32dafe

SHA1
263644cb2cfbe3181b0b66e38755d8ef6180675b

SHA256
38db895261c0ea91c8b96abddd0b8d71e61f0297cd05faf8c39f23a3892a026d

SHA512
a8140a5e1fe38890a0902ff80077574b25700d203bd8439e7ff5598d3c38033033bb8d9e596ff28f95a3916e105b7aec544e15ca597c60010251763917a4db51

Download Submit
memory/284-1160-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/308-1166-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/320-1073-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/472-1154-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/472-40-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/472-37-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/552-1172-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/572-45-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/680-1185-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/680-1188-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/692-1044-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/852-111-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/992-165-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1052-1181-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1056-138-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1108-139-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1108-141-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1188-161-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1424-119-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1424-117-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1464-12-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1464-1141-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1464-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1508-1157-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1520-1122-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1532-1042-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1540-98-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1552-104-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1556-171-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1560-1053-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1584-1119-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1592-1089-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1640-1178-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1688-75-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1700-1135-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1704-121-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1760-1194-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1772-630-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1772-57-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1876-1099-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1884-1024-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1928-1080-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1948-93-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1980-109-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1992-1076-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2008-270-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2040-706-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2056-1093-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2056-1096-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2088-1109-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2100-167-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2108-169-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2144-781-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2144-820-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2176-1191-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2192-450-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2192-463-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2204-146-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2216-176-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2216-1040-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2268-136-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2272-82-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2280-377-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2284-114-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2284-112-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2292-1145-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2292-1142-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2300-159-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2328-1116-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2336-157-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2344-116-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2348-1106-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2352-1110-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2352-1113-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2372-948-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2372-155-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2408-1059-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2412-163-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2412-87-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2444-1175-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2456-1184-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2484-127-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2488-125-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2496-174-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2564-1070-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2568-131-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2580-1132-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2580-1129-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2588-1163-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2592-1048-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2636-1056-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2636-33-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2672-1038-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2688-172-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2688-79-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2688-15-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2692-132-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2692-134-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2728-1046-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2756-1050-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2788-1138-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2796-1151-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2808-1128-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2824-129-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2836-1103-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2836-1100-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2856-151-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2856-149-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2856-63-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2860-1125-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2864-323-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2864-1086-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2868-67-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2868-70-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2872-1169-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2892-148-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2948-153-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2976-860-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2976-886-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2976-542-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2980-1083-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3016-301-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3024-1092-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3056-52-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3056-49-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3064-1148-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3064-142-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3064-144-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download