042910348adf112fe022f5e14462014eff7edb21a9afe0a2a79990b046f81dc3

Analysis

max time kernel
4s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13b279af1c26c20b78e53df5cde78b73.exe
Size

43KB
MD5

13b279af1c26c20b78e53df5cde78b73
SHA1

4db48d04e5a41a25e47cb09c0a4c2cdd315a1330
SHA256

042910348adf112fe022f5e14462014eff7edb21a9afe0a2a79990b046f81dc3
SHA512

d139a30b301b64ef299f6735e6289693a8dfcdbb982e0a772b761ff0ca6f352a69854262b779dee8defcf73a65b9818ded8554c3737c04405f1c9cac1e9fac2d
SSDEEP

768:mfnqyNnxRcocMo6lyXPLDpUbY+aJcm4hmqHbcqwbLLSc//MYpDfd7lwg:2nfNnxuqotXPPpR4hQXLSGRDFX

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5788	5764	cmd.exe	352

Executes dropped EXE 64 IoCs

pid	Process
3084	13b279af1c26c20b78e53df5cde78b73.exe
3200	13b279af1c26c20b78e53df5cde78b73.exe
4624	cmd.exe
4452	13b279af1c26c20b78e53df5cde78b73.exe
2268	13b279af1c26c20b78e53df5cde78b73.exe
3308	13b279af1c26c20b78e53df5cde78b73.exe
3068	13b279af1c26c20b78e53df5cde78b73.exe
3260	13b279af1c26c20b78e53df5cde78b73.exe
2488	13b279af1c26c20b78e53df5cde78b73.exe
3004	13b279af1c26c20b78e53df5cde78b73.exe
3044	13b279af1c26c20b78e53df5cde78b73.exe
3000	13b279af1c26c20b78e53df5cde78b73.exe
2072	13b279af1c26c20b78e53df5cde78b73.exe
3224	13b279af1c26c20b78e53df5cde78b73.exe
4696	13b279af1c26c20b78e53df5cde78b73.exe
1624	13b279af1c26c20b78e53df5cde78b73.exe
1344	13b279af1c26c20b78e53df5cde78b73.exe
2860	13b279af1c26c20b78e53df5cde78b73.exe
2364	13b279af1c26c20b78e53df5cde78b73.exe
3804	13b279af1c26c20b78e53df5cde78b73.exe
3624	13b279af1c26c20b78e53df5cde78b73.exe
1364	13b279af1c26c20b78e53df5cde78b73.exe
436	13b279af1c26c20b78e53df5cde78b73.exe
4440	13b279af1c26c20b78e53df5cde78b73.exe
4360	13b279af1c26c20b78e53df5cde78b73.exe
668	13b279af1c26c20b78e53df5cde78b73.exe
2248	13b279af1c26c20b78e53df5cde78b73.exe
556	13b279af1c26c20b78e53df5cde78b73.exe
1916	cmd.exe
2792	13b279af1c26c20b78e53df5cde78b73.exe
4908	13b279af1c26c20b78e53df5cde78b73.exe
1612	cmd.exe
3324	cmd.exe
4832	13b279af1c26c20b78e53df5cde78b73.exe
1148	13b279af1c26c20b78e53df5cde78b73.exe
1012	13b279af1c26c20b78e53df5cde78b73.exe
3308	13b279af1c26c20b78e53df5cde78b73.exe
4664	13b279af1c26c20b78e53df5cde78b73.exe
2444	13b279af1c26c20b78e53df5cde78b73.exe
5064	cmd.exe
540	13b279af1c26c20b78e53df5cde78b73.exe
5080	13b279af1c26c20b78e53df5cde78b73.exe
4020	13b279af1c26c20b78e53df5cde78b73.exe
8	cmd.exe
4188	cmd.exe
3736	13b279af1c26c20b78e53df5cde78b73.exe
1344	13b279af1c26c20b78e53df5cde78b73.exe
2860	13b279af1c26c20b78e53df5cde78b73.exe
3516	13b279af1c26c20b78e53df5cde78b73.exe
1528	cmd.exe
1616	13b279af1c26c20b78e53df5cde78b73.exe
4356	13b279af1c26c20b78e53df5cde78b73.exe
1076	13b279af1c26c20b78e53df5cde78b73.exe
2692	13b279af1c26c20b78e53df5cde78b73.exe
3988	13b279af1c26c20b78e53df5cde78b73.exe
1940	13b279af1c26c20b78e53df5cde78b73.exe
1540	13b279af1c26c20b78e53df5cde78b73.exe
4336	13b279af1c26c20b78e53df5cde78b73.exe
1360	13b279af1c26c20b78e53df5cde78b73.exe
3240	13b279af1c26c20b78e53df5cde78b73.exe
1892	13b279af1c26c20b78e53df5cde78b73.exe
1652	13b279af1c26c20b78e53df5cde78b73.exe
2096	13b279af1c26c20b78e53df5cde78b73.exe
3260	13b279af1c26c20b78e53df5cde78b73.exe

Drops file in System32 directory 64 IoCs

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1612	cmd.exe
Token: SeIncBasePriorityPrivilege	3084	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3200	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	4624	cmd.exe
Token: SeIncBasePriorityPrivilege	4452	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	2268	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3308	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3068	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3260	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	2488	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3004	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3044	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3000	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	2072	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3224	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	4696	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1624	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1344	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	2860	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	2364	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3804	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3624	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1364	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	436	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	4440	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	4360	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	668	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	2248	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	556	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1916	cmd.exe
Token: SeIncBasePriorityPrivilege	2792	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	4908	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1612	cmd.exe
Token: SeIncBasePriorityPrivilege	3324	cmd.exe
Token: SeIncBasePriorityPrivilege	4832	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1148	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1012	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3308	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	4664	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	2444	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	5064	cmd.exe
Token: SeIncBasePriorityPrivilege	540	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	5080	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	4020	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	8	cmd.exe
Token: SeIncBasePriorityPrivilege	4188	cmd.exe
Token: SeIncBasePriorityPrivilege	3736	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1344	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	2860	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3516	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1528	cmd.exe
Token: SeIncBasePriorityPrivilege	1616	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	4356	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1076	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	2692	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3988	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1940	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1540	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	4336	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1360	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	3240	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1892	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	1652	13b279af1c26c20b78e53df5cde78b73.exe
Token: SeIncBasePriorityPrivilege	2096	13b279af1c26c20b78e53df5cde78b73.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1612	13b279af1c26c20b78e53df5cde78b73.exe
1612	13b279af1c26c20b78e53df5cde78b73.exe
3084	13b279af1c26c20b78e53df5cde78b73.exe
3084	13b279af1c26c20b78e53df5cde78b73.exe
3200	13b279af1c26c20b78e53df5cde78b73.exe
3200	13b279af1c26c20b78e53df5cde78b73.exe
4624	cmd.exe
4624	cmd.exe
4452	13b279af1c26c20b78e53df5cde78b73.exe
4452	13b279af1c26c20b78e53df5cde78b73.exe
2268	13b279af1c26c20b78e53df5cde78b73.exe
2268	13b279af1c26c20b78e53df5cde78b73.exe
3308	13b279af1c26c20b78e53df5cde78b73.exe
3308	13b279af1c26c20b78e53df5cde78b73.exe
3068	13b279af1c26c20b78e53df5cde78b73.exe
3068	13b279af1c26c20b78e53df5cde78b73.exe
3260	13b279af1c26c20b78e53df5cde78b73.exe
3260	13b279af1c26c20b78e53df5cde78b73.exe
2488	13b279af1c26c20b78e53df5cde78b73.exe
2488	13b279af1c26c20b78e53df5cde78b73.exe
3004	13b279af1c26c20b78e53df5cde78b73.exe
3004	13b279af1c26c20b78e53df5cde78b73.exe
3044	13b279af1c26c20b78e53df5cde78b73.exe
3044	13b279af1c26c20b78e53df5cde78b73.exe
3000	13b279af1c26c20b78e53df5cde78b73.exe
3000	13b279af1c26c20b78e53df5cde78b73.exe
2072	13b279af1c26c20b78e53df5cde78b73.exe
2072	13b279af1c26c20b78e53df5cde78b73.exe
3224	13b279af1c26c20b78e53df5cde78b73.exe
3224	13b279af1c26c20b78e53df5cde78b73.exe
4696	13b279af1c26c20b78e53df5cde78b73.exe
4696	13b279af1c26c20b78e53df5cde78b73.exe
1624	13b279af1c26c20b78e53df5cde78b73.exe
1624	13b279af1c26c20b78e53df5cde78b73.exe
1344	13b279af1c26c20b78e53df5cde78b73.exe
1344	13b279af1c26c20b78e53df5cde78b73.exe
2860	13b279af1c26c20b78e53df5cde78b73.exe
2860	13b279af1c26c20b78e53df5cde78b73.exe
2364	13b279af1c26c20b78e53df5cde78b73.exe
2364	13b279af1c26c20b78e53df5cde78b73.exe
3804	13b279af1c26c20b78e53df5cde78b73.exe
3804	13b279af1c26c20b78e53df5cde78b73.exe
3624	13b279af1c26c20b78e53df5cde78b73.exe
3624	13b279af1c26c20b78e53df5cde78b73.exe
1364	13b279af1c26c20b78e53df5cde78b73.exe
1364	13b279af1c26c20b78e53df5cde78b73.exe
436	13b279af1c26c20b78e53df5cde78b73.exe
436	13b279af1c26c20b78e53df5cde78b73.exe
4440	13b279af1c26c20b78e53df5cde78b73.exe
4440	13b279af1c26c20b78e53df5cde78b73.exe
4360	13b279af1c26c20b78e53df5cde78b73.exe
4360	13b279af1c26c20b78e53df5cde78b73.exe
668	13b279af1c26c20b78e53df5cde78b73.exe
668	13b279af1c26c20b78e53df5cde78b73.exe
2248	13b279af1c26c20b78e53df5cde78b73.exe
2248	13b279af1c26c20b78e53df5cde78b73.exe
556	13b279af1c26c20b78e53df5cde78b73.exe
556	13b279af1c26c20b78e53df5cde78b73.exe
1916	cmd.exe
1916	cmd.exe
2792	13b279af1c26c20b78e53df5cde78b73.exe
2792	13b279af1c26c20b78e53df5cde78b73.exe
4908	13b279af1c26c20b78e53df5cde78b73.exe
4908	13b279af1c26c20b78e53df5cde78b73.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3084	1612	13b279af1c26c20b78e53df5cde78b73.exe	89
PID 1612 wrote to memory of 3084	1612	13b279af1c26c20b78e53df5cde78b73.exe	89
PID 1612 wrote to memory of 3084	1612	13b279af1c26c20b78e53df5cde78b73.exe	89
PID 1612 wrote to memory of 2128	1612	cmd.exe	90
PID 1612 wrote to memory of 2128	1612	cmd.exe	90
PID 1612 wrote to memory of 2128	1612	cmd.exe	90
PID 3084 wrote to memory of 3200	3084	13b279af1c26c20b78e53df5cde78b73.exe	149
PID 3084 wrote to memory of 3200	3084	13b279af1c26c20b78e53df5cde78b73.exe	149
PID 3084 wrote to memory of 3200	3084	13b279af1c26c20b78e53df5cde78b73.exe	149
PID 3084 wrote to memory of 3212	3084	13b279af1c26c20b78e53df5cde78b73.exe	547
PID 3084 wrote to memory of 3212	3084	13b279af1c26c20b78e53df5cde78b73.exe	547
PID 3084 wrote to memory of 3212	3084	13b279af1c26c20b78e53df5cde78b73.exe	547
PID 3200 wrote to memory of 4624	3200	13b279af1c26c20b78e53df5cde78b73.exe	273
PID 3200 wrote to memory of 4624	3200	13b279af1c26c20b78e53df5cde78b73.exe	273
PID 3200 wrote to memory of 4624	3200	13b279af1c26c20b78e53df5cde78b73.exe	273
PID 3200 wrote to memory of 3188	3200	13b279af1c26c20b78e53df5cde78b73.exe	657
PID 3200 wrote to memory of 3188	3200	13b279af1c26c20b78e53df5cde78b73.exe	657
PID 3200 wrote to memory of 3188	3200	13b279af1c26c20b78e53df5cde78b73.exe	657
PID 4624 wrote to memory of 4452	4624	cmd.exe	656
PID 4624 wrote to memory of 4452	4624	cmd.exe	656
PID 4624 wrote to memory of 4452	4624	cmd.exe	656
PID 4624 wrote to memory of 1240	4624	cmd.exe	655
PID 4624 wrote to memory of 1240	4624	cmd.exe	655
PID 4624 wrote to memory of 1240	4624	cmd.exe	655
PID 4452 wrote to memory of 2268	4452	13b279af1c26c20b78e53df5cde78b73.exe	654
PID 4452 wrote to memory of 2268	4452	13b279af1c26c20b78e53df5cde78b73.exe	654
PID 4452 wrote to memory of 2268	4452	13b279af1c26c20b78e53df5cde78b73.exe	654
PID 4452 wrote to memory of 1512	4452	13b279af1c26c20b78e53df5cde78b73.exe	653
PID 4452 wrote to memory of 1512	4452	13b279af1c26c20b78e53df5cde78b73.exe	653
PID 4452 wrote to memory of 1512	4452	13b279af1c26c20b78e53df5cde78b73.exe	653
PID 2268 wrote to memory of 3308	2268	13b279af1c26c20b78e53df5cde78b73.exe	652
PID 2268 wrote to memory of 3308	2268	13b279af1c26c20b78e53df5cde78b73.exe	652
PID 2268 wrote to memory of 3308	2268	13b279af1c26c20b78e53df5cde78b73.exe	652
PID 2268 wrote to memory of 1896	2268	13b279af1c26c20b78e53df5cde78b73.exe	651
PID 2268 wrote to memory of 1896	2268	13b279af1c26c20b78e53df5cde78b73.exe	651
PID 2268 wrote to memory of 1896	2268	13b279af1c26c20b78e53df5cde78b73.exe	651
PID 3308 wrote to memory of 3068	3308	13b279af1c26c20b78e53df5cde78b73.exe	650
PID 3308 wrote to memory of 3068	3308	13b279af1c26c20b78e53df5cde78b73.exe	650
PID 3308 wrote to memory of 3068	3308	13b279af1c26c20b78e53df5cde78b73.exe	650
PID 3308 wrote to memory of 4304	3308	13b279af1c26c20b78e53df5cde78b73.exe	649
PID 3308 wrote to memory of 4304	3308	13b279af1c26c20b78e53df5cde78b73.exe	649
PID 3308 wrote to memory of 4304	3308	13b279af1c26c20b78e53df5cde78b73.exe	649
PID 3068 wrote to memory of 3260	3068	13b279af1c26c20b78e53df5cde78b73.exe	648
PID 3068 wrote to memory of 3260	3068	13b279af1c26c20b78e53df5cde78b73.exe	648
PID 3068 wrote to memory of 3260	3068	13b279af1c26c20b78e53df5cde78b73.exe	648
PID 3068 wrote to memory of 4984	3068	13b279af1c26c20b78e53df5cde78b73.exe	647
PID 3068 wrote to memory of 4984	3068	13b279af1c26c20b78e53df5cde78b73.exe	647
PID 3068 wrote to memory of 4984	3068	13b279af1c26c20b78e53df5cde78b73.exe	647
PID 3260 wrote to memory of 2488	3260	13b279af1c26c20b78e53df5cde78b73.exe	646
PID 3260 wrote to memory of 2488	3260	13b279af1c26c20b78e53df5cde78b73.exe	646
PID 3260 wrote to memory of 2488	3260	13b279af1c26c20b78e53df5cde78b73.exe	646
PID 3260 wrote to memory of 2004	3260	13b279af1c26c20b78e53df5cde78b73.exe	644
PID 3260 wrote to memory of 2004	3260	13b279af1c26c20b78e53df5cde78b73.exe	644
PID 3260 wrote to memory of 2004	3260	13b279af1c26c20b78e53df5cde78b73.exe	644
PID 2488 wrote to memory of 3004	2488	13b279af1c26c20b78e53df5cde78b73.exe	643
PID 2488 wrote to memory of 3004	2488	13b279af1c26c20b78e53df5cde78b73.exe	643
PID 2488 wrote to memory of 3004	2488	13b279af1c26c20b78e53df5cde78b73.exe	643
PID 2488 wrote to memory of 5064	2488	13b279af1c26c20b78e53df5cde78b73.exe	642
PID 2488 wrote to memory of 5064	2488	13b279af1c26c20b78e53df5cde78b73.exe	642
PID 2488 wrote to memory of 5064	2488	13b279af1c26c20b78e53df5cde78b73.exe	642
PID 3004 wrote to memory of 3044	3004	13b279af1c26c20b78e53df5cde78b73.exe	641
PID 3004 wrote to memory of 3044	3004	13b279af1c26c20b78e53df5cde78b73.exe	641
PID 3004 wrote to memory of 3044	3004	13b279af1c26c20b78e53df5cde78b73.exe	641
PID 3004 wrote to memory of 1456	3004	13b279af1c26c20b78e53df5cde78b73.exe	640

C:\Users\Admin\AppData\Local\Temp\13b279af1c26c20b78e53df5cde78b73.exe
"C:\Users\Admin\AppData\Local\Temp\13b279af1c26c20b78e53df5cde78b73.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:3200
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\13B279~1.EXE > nul
  2⤵
  PID:2128

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:3824
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3804

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4736
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1364

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2708
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:556

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:1916

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:1612
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:1656

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:3308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4856
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4304
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3068

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4636
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5064

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:8

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:3100
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:1528

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:1076
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5372
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:2568
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:3464
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:1680
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        9⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3224
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5400

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4540
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4480

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:3124
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Drops file in System32 directory
  PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Drops file in System32 directory
    PID:1868

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:2668
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5076

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:3984

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:3052
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:3800

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:1312

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Drops file in System32 directory
PID:2272
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:828

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:4848

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:1444
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5044

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:2000

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:1356
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:4188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3736
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:2208

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Drops file in System32 directory
PID:1556
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Drops file in System32 directory
    PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:940
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2140

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:4324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:864
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Drops file in System32 directory
  PID:1392

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:1656
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:640
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:3200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:4936

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:4648
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4796

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:692
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:3340
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:3820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:4188
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4696

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:4516
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:3484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:1652
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Drops file in System32 directory
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:1780

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:3472
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:3208
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:1864
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:3240
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3200
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:3304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:3160
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:3088
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        Drops file in System32 directory
        
        PID:4612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:3188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:2320

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:2640
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:3212

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:1316
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:4612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:3300
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:396

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:3240
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4044
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:3304
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:1312
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:2208
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        9⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:3264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:3472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:1360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:2588
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:3052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:3760
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:4800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:4252
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:4532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:4188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2840
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1892

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:3592
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Drops file in System32 directory
  PID:1312
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:3488
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:4848
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:3184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:1160
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:4484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Drops file in System32 directory
    PID:664

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:2640

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:3088
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4984

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:3212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    - Drops file in System32 directory
    PID:4740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      Drops file in System32 directory
      PID:4340
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:1684
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:988

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:3736
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    - Drops file in System32 directory
    PID:3800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:4892
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        Drops file in System32 directory
        
        PID:1400
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4440
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:2152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:3588
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2860

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Drops file in System32 directory
PID:4796
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:624
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:5080
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:3000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5176
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:5144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:3940
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2072
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:5196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5044
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:3644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:3296
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:2548
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        Drops file in System32 directory
        
        PID:3284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:4032
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4180
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Drops file in System32 directory
  PID:3704

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5236
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5276
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5384
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:5356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:5304

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5396
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:5424

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5520
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5560
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5604
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:5644
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:5684
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        8⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        9⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        10⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        10⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:5796
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5756
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:5456
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        8⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        9⤵
        
        PID:6052
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5976
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:6068
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:2860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:5592

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5928
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5968
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:6012
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:6052
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:6092
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:6120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:6080

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:5404
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5376

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5372

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5528
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:5524

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5660

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5764

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5864
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5984
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:5872

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:6088
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5972

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:6024
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:6076
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:6116
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:5212
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:5232
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:5500
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:5016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:6132

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:1544
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5576

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:3112
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5716

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:5324
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:1752

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5152

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5620
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5680
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5688
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:1076
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:1680
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:2224
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:5464
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:5824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:1364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:3556
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:5620
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:5804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:6020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:4344
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:5648

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5220
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5256
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:5376
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5852
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        9⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:5612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:5444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:5252

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:6072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:4448
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:6040

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:1624
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5196
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5476
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:2692
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:5016
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:5688
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        9⤵
        
        PID:4824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:5876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:3464
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5160
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:5548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:5776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5248
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5208

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:6024
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5380
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:1476
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:6112

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5600

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:548
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5768
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5836
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5644
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5820

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5668
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:2568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:6100
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:5464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:6032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:6108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:6060
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:2224
    - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        5⤵
        
        PID:1916
      - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        6⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        7⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        9⤵
        
        PID:528
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        10⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        11⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        12⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        13⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        14⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        15⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        16⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        17⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        18⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        19⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        20⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        21⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        22⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        23⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        24⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        25⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        26⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        27⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        28⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        29⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        30⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        31⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        32⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        33⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        34⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        35⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        36⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        37⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        38⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        39⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        40⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        41⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        42⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        43⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        44⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        45⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        46⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        47⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        48⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        49⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        50⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        51⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        52⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        53⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        54⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        55⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        56⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        57⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        58⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        59⤵
        
        PID:772
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        60⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        61⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        62⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        63⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        64⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        65⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        66⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        67⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        68⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        69⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        70⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        71⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        72⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        73⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        74⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        75⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        76⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        77⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        78⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        79⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        80⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        81⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        82⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        83⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        84⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        85⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        86⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        87⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        88⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        89⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        90⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        91⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        92⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        93⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        94⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        95⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        96⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        97⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        98⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        99⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        100⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        101⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        102⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        103⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        104⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        105⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        106⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        107⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        108⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        109⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        110⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        111⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        112⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        113⤵
        
        PID:988
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        114⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        115⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        116⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        117⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        118⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        119⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        120⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        121⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        122⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        123⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        124⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        125⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        126⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        127⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        128⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        129⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        130⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        131⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        132⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        133⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        134⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        135⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        136⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        137⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        138⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        139⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        140⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        141⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        142⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        143⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        144⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        145⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        146⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        147⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        148⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        149⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        150⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        151⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        152⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        153⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        154⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        155⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        156⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        157⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        158⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        159⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        160⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        161⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        162⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        163⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        164⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        165⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        166⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        167⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        168⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        169⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        170⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        171⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        172⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        173⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        174⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        175⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        176⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        177⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        178⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        179⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        180⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        181⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        182⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        183⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        184⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        185⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        186⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        187⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        188⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        189⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        190⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        191⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        192⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        193⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        194⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        195⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        196⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        197⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        198⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        199⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        200⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        201⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        202⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        203⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        204⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        205⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        206⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        207⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        208⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        209⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        210⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        211⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        212⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        213⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        214⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        215⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        216⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        217⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        218⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        219⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        220⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        221⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        222⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        223⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        224⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        225⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        226⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        227⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        228⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        229⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        230⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        231⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        232⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        233⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        234⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        235⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        236⤵
        
        PID:8600
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        237⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
        
        C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
        238⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        237⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        236⤵
        
        PID:8632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        235⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        234⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        233⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        232⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        231⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        230⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        229⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        228⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        227⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        226⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        225⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        224⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        223⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        222⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        221⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        220⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        219⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        218⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        217⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        216⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        215⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        214⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        213⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        212⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        211⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        210⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        209⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        208⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        207⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        206⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        205⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        204⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        203⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        202⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        201⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        200⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        199⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        198⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        197⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        196⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        195⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        194⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        193⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        192⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        191⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        190⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        189⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        188⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        187⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        186⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        185⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        184⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        183⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        182⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        181⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        180⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        179⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        178⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        177⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        176⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        175⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        174⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        173⤵
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        172⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        171⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        170⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        169⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        168⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        167⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        166⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        165⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        164⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        163⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        162⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        161⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        160⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        159⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        158⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        157⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        156⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        155⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        154⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        153⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        152⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        151⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        150⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        149⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        148⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        147⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        146⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        145⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        144⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        143⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        142⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        141⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        140⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        139⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        138⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        137⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        136⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        135⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        134⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        133⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        132⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        131⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        130⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        129⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        128⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        127⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        126⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        125⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        124⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        123⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        122⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        121⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        120⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        119⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        118⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        117⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        116⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        115⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        114⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        113⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        112⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        111⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        110⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        109⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        108⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        107⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        106⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        105⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        104⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        103⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        102⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        101⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        100⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        99⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        98⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        97⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        96⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        95⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        94⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        93⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        92⤵
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        91⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        90⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        89⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        88⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        87⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        86⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        85⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        84⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        83⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        82⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        81⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        80⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        79⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        78⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        77⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        76⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        75⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        74⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        73⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        72⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        71⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        70⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        69⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        68⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        67⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        66⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        65⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        64⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        63⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        62⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        61⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        60⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        59⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        58⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        57⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        56⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        55⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        54⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        53⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        52⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        51⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        50⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        49⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        48⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        47⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        46⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        45⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        44⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        43⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        42⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        41⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        40⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        39⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        38⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        37⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        36⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        35⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        34⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        33⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        32⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        31⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        30⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        29⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        28⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        27⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        26⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        25⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        24⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        23⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        22⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        21⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        20⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        19⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        18⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        17⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        16⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        15⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        14⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        13⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        12⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        11⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        10⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        9⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:4896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        7⤵
        
        PID:3500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:5464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5940
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:3332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:6128
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1148

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5152
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:3296
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:5680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:5888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:5972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        6⤵
        
        PID:6064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
        5⤵
        
        PID:5956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    - Drops file in System32 directory
    PID:640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:5556
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:5288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:864
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:5144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:5224
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:5188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4668
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:5928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:6000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:5812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
- Process spawned unexpected child process
PID:5788

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:5740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:5504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:5468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:5264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:4304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:1356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  - Drops file in System32 directory
  PID:4648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:880
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Drops file in System32 directory
  PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
      C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1012
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Drops file in System32 directory
    PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
- Drops file in System32 directory
PID:3984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2372
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:3472
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:2404

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
    C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3004

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:3212

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2004
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:2976

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:3856

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:2792
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4908

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:828
- C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
  C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2792

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:4180

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:2492

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:3296

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
PID:2860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
  2⤵
  PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:3184

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:864

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:5016

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:2016

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:1896

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\13B279~1.EXE > nul
1⤵
PID:1512

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe
C:\Windows\system32\13b279af1c26c20b78e53df5cde78b73.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe

Filesize
43KB

MD5
13b279af1c26c20b78e53df5cde78b73

SHA1
4db48d04e5a41a25e47cb09c0a4c2cdd315a1330

SHA256
042910348adf112fe022f5e14462014eff7edb21a9afe0a2a79990b046f81dc3

SHA512
d139a30b301b64ef299f6735e6289693a8dfcdbb982e0a772b761ff0ca6f352a69854262b779dee8defcf73a65b9818ded8554c3737c04405f1c9cac1e9fac2d

Download Submit
memory/8-104-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/436-183-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/436-188-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/436-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/540-98-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/556-70-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/664-189-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/664-194-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/668-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1012-88-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1076-124-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1148-85-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1168-153-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1168-158-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1312-191-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1312-186-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1344-108-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1344-111-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1344-42-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1344-45-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1360-136-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1364-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1444-207-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1444-212-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1528-117-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1540-132-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1612-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1612-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1612-78-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1616-120-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1624-39-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1624-43-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1652-142-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1868-156-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1868-161-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1892-140-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1916-72-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1940-130-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-213-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2000-218-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2072-35-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2096-143-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2248-68-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2268-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2272-192-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2272-197-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2364-50-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2444-94-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2488-27-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2488-152-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2488-147-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2536-149-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2536-144-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2548-173-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2548-168-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2668-164-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2668-159-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2692-126-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2792-74-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2860-113-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2860-47-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2940-210-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2940-215-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3000-33-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3004-26-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3004-29-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3044-31-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3052-177-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3052-182-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3068-19-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3068-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3084-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3084-8-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3124-155-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3124-150-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3200-11-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3224-37-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3240-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3260-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3260-146-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3284-167-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3284-162-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3304-216-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3308-87-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3308-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3308-90-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3324-81-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3516-115-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3592-174-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3592-179-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3624-52-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3624-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3736-109-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3800-180-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3800-185-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3804-49-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3804-53-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3984-176-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3984-171-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3988-128-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4020-102-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4188-106-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4336-134-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4340-203-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4340-198-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4356-122-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4356-119-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4360-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4360-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4440-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4452-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4484-209-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4484-204-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4624-10-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4624-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4664-92-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4696-40-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4740-195-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4740-200-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4832-83-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4832-80-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4848-206-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4848-201-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4908-76-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5064-96-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5076-170-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5076-165-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/5080-100-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

description	ioc	Process
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	Process not Found
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	cmd.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe
File created	C:\Windows\SysWOW64\13b279af1c26c20b78e53df5cde78b73.exe	13b279af1c26c20b78e53df5cde78b73.exe