troldesh | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

Analysis

max time kernel
1046s
max time network
1054s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
27/02/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

1.4MB
MD5

63210f8f1dde6c40a7f3643ccf0ff313
SHA1

57edd72391d710d71bead504d44389d0462ccec9
SHA256

2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512

87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
SSDEEP

12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score

10^/10

troldesh persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4764-1-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-2-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-3-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-4-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-5-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-9-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-35-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-186-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-187-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-188-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-191-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-193-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-194-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-196-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-197-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-198-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-199-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-200-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-201-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-202-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-203-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-204-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-205-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-206-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-207-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-208-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-209-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-210-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-211-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-212-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-213-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-214-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-215-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-216-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-217-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-218-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-219-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-220-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-221-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-222-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-223-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-224-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-225-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-226-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-227-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-228-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-229-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-230-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-231-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-232-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-233-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-234-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-235-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-236-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-237-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-238-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-239-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-240-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-241-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-242-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-243-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-244-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-245-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4764-246-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 82003100000000005b588a831000494d474f4e4e7e3100006a0009000400efbe5b5882835b588a832e0000006aa6010000000a00000000000000000000000000000035073f0069006d00200067006f006e006e00610020006700690076006500200079006f0075002000610020006c006f0062006f0074006f006d007900000018000000	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4764	[email protected]
4764	[email protected]
4764	[email protected]
4764	[email protected]

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	firefox.exe
Token: SeDebugPrivilege	2776	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2776	firefox.exe
2776	firefox.exe
2776	firefox.exe
2776	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2776	firefox.exe
2776	firefox.exe
2776	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1856	AcroRd32.exe
1856	AcroRd32.exe
1856	AcroRd32.exe
1856	AcroRd32.exe
2776	firefox.exe
4884	NOTEPAD.EXE
4884	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 4632	1856	AcroRd32.exe	78
PID 1856 wrote to memory of 4632	1856	AcroRd32.exe	78
PID 1856 wrote to memory of 4632	1856	AcroRd32.exe	78
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 3444	4632	RdrCEF.exe	79
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80
PID 4632 wrote to memory of 4320	4632	RdrCEF.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:4764

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\FormatEnable.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2CD2525F79FBBFC6D98BE506332EA4C7 --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3444
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6466A6F9C092B162DDA32D19A2275FCC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6466A6F9C092B162DDA32D19A2275FCC --renderer-client-id=2 --mojo-platform-channel-handle=1648 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4320
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0FFEB05B30C4AC195D8F3BBE36D8288B --mojo-platform-channel-handle=2196 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:424
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=187DCE2B830F03E6AC792457A41300FF --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2360
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=05D65326E92662A2F2A4A2942A97A465 --mojo-platform-channel-handle=1708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4680
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2776.0.217614155\290639267" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1660 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3a39261-3fd0-4572-934d-e24fb76cd6cc} 2776 "\\.\pipe\gecko-crash-server-pipe.2776" 1764 23f8cffae58 gpu
    3⤵
    PID:3356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2776.1.107639289\329178422" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3615a060-4847-4dce-a1c2-d7be210f71b8} 2776 "\\.\pipe\gecko-crash-server-pipe.2776" 2120 23f8cb3b558 socket
    3⤵
    - Checks processor information in registry
    PID:2924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2776.2.746049617\1592554841" -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e1c2403-769e-471a-bb2f-99ebc0711e1a} 2776 "\\.\pipe\gecko-crash-server-pipe.2776" 3132 23f91207e58 tab
    3⤵
    PID:3780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2776.3.603888517\774968044" -childID 2 -isForBrowser -prefsHandle 3460 -prefMapHandle 3456 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c3f42ef-9ac6-4de3-9f68-0e0291e0f2c5} 2776 "\\.\pipe\gecko-crash-server-pipe.2776" 3476 23f91f0fb58 tab
    3⤵
    PID:4648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2776.4.1812919980\140286116" -childID 3 -isForBrowser -prefsHandle 4144 -prefMapHandle 4140 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77dae549-915e-4b82-86db-af05208b36aa} 2776 "\\.\pipe\gecko-crash-server-pipe.2776" 4164 23f92df6458 tab
    3⤵
    PID:3868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2776.7.542302429\204496557" -childID 6 -isForBrowser -prefsHandle 5096 -prefMapHandle 5100 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12ae936b-9fdf-4355-9f2b-3386bef88614} 2776 "\\.\pipe\gecko-crash-server-pipe.2776" 5084 23f933fc058 tab
    3⤵
    PID:2052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2776.6.137027230\457142608" -childID 5 -isForBrowser -prefsHandle 4876 -prefMapHandle 4880 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4795893-3de3-4afc-8552-ef00543f8e1f} 2776 "\\.\pipe\gecko-crash-server-pipe.2776" 4960 23f933fbd58 tab
    3⤵
    PID:4540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2776.5.645440876\301804943" -childID 4 -isForBrowser -prefsHandle 4780 -prefMapHandle 4772 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20caee32-19f3-4d67-ba8a-ddfa873f16c7} 2776 "\\.\pipe\gecko-crash-server-pipe.2776" 4760 23f81f5fb58 tab
    3⤵
    PID:4968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3364

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\im gonna give you a lobotomy\New Text Document.txt
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\im gonna give you a lobotomy\New Text Document.bat" "
1⤵
PID:360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:96
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8096
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8072
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10736
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10312
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10304
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10248
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:17152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19120
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:18880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22228
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21736
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:27904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:27996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:27988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:27980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:27972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:27956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29364
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29228
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:29004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31736
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9072
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:13928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:17868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15228
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:15012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:14132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:10516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20176
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:20164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:19584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:24132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:24324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:24360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:24108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:24156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:24100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:24096
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:24284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:24280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:22696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23248
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:23060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:21432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:27728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28600
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30312
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30304
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:11464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:30012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:28784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:33620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:31344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:16368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:17604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2228
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2z6vy7e.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
715e0caa95cc7882db7970d9cb8a17ab

SHA1
85f66a1dc9882e4c90f65a5d92f79342c6881767

SHA256
0c152cd7484e03654a66c962a44ddd95c143bebc64269bea0a8a2f1bb98f17fd

SHA512
1a26566ddddf487f63511233893a31a875f51a40e7593e014af7b15b4046be0d96e3814400fc062a885889bf565785f7ace2d02b14a931abe13ea366f0da9e7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2z6vy7e.default-release\datareporting\glean\pending_pings\9193d63a-694c-4a2b-8125-55182df03f85

Filesize
746B

MD5
44274e88ccd88b2d3076aa5012eaa12d

SHA1
51aabd90a6f575140a3a14dd9aed174d3b29a4d0

SHA256
91416bf50e764f490b23ab7c4cccd68656af12b19940303d1f327315b7d99704

SHA512
0f80e5fbf5608ff5deab6958c79dd65e99664ea83d5ca4cb9a1cb4c4eff3b513875903cdf17ad8acbfd8bd2415e0d40c2bc7a512f47e8ddf9e4de6ba616f2945

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2z6vy7e.default-release\datareporting\glean\pending_pings\b48ba262-3532-4a82-9e02-d7524b8af31d

Filesize
11KB

MD5
31a4e20e9c0abe700e222956d9eca30a

SHA1
ebead49d45122fcf139d2c25831e7808ffabd435

SHA256
be56c7c0f957f3e204ffa2705fce7c667ed4d7f500097a6e876cf1dcecfcc6c1

SHA512
6ca3081328b9cf8bfa66745c3c0bc72625e0db47f27a087ebcd206f5d61ae20e2c3e2221eb40dcc9a37d357b64ce09cc542c572f687df0b679c75b6338f72989

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2z6vy7e.default-release\prefs-1.js

Filesize
6KB

MD5
4558b988ac1c0e6f4bb7a7249a546f8a

SHA1
782854daa19347f022681f5614089b815ede8b20

SHA256
b289f1a339b1a28d470553d15a5d09944deedbd849afd0eab339183aa21c4a8b

SHA512
4cc1e80018a7bc6990d05486ac2c434528348aaccf52180910cc860db6f04e5062fae2d3f5e3a5008881389e75eaa08756230f4ec2c1c53591ea7d67aa8ea7d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t2z6vy7e.default-release\sessionstore.jsonlz4

Filesize
882B

MD5
a9523b998bf6eb84ee7f1f75d6757b1e

SHA1
93af541b2e236ed37f929fdf59551e0b4d05d63a

SHA256
ebaed0ab8b59f37f8a1ba92371eb0202850446ab0a5c992c07e22b29e8604861

SHA512
cad0a1d457b7cd85997eac6a02c16dff82f130d97ebb16eadfb4709263ec5c6b2753d38e1c43b40c81bc5a74159b212b65fd02c5b39434f623cb7ef52341e658

Download Submit
C:\Users\Admin\Desktop\im gonna give you a lobotomy\New Text Document.bat

Filesize
17B

MD5
d137601a016472ef47373e4fb8ca836c

SHA1
210413aa474a92b621d1688d291cd330e8eabaf2

SHA256
dbb0a5f38e6fe9a8c5e152b54a5cd3749d2d5ced39ca596fcc764eba56755910

SHA512
2bfa5d8a1eeb45392d5ab3dc1209fcb908385d684a290e1b7d9d89187f9b4d476460d5b3a1ccbf67274c44e5815e32e52bdc5fe85a26ddec7e343833e59a37e0

Download Submit
memory/4764-212-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-216-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-214-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-5-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-4-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-3-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-2-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-186-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-187-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-188-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-191-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-193-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-194-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-1-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-196-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-197-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-198-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-199-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-200-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-201-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-202-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-203-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-204-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-205-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-206-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-207-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-208-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-209-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-210-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-211-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-0-0x0000000002320000-0x00000000023EE000-memory.dmp

Filesize
824KB

Download
memory/4764-213-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-35-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-223-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-217-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-218-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-219-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-220-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-221-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-222-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-215-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-224-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-225-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-226-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-227-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-228-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-229-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-230-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-231-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-232-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-233-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-234-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-235-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-236-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-237-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-238-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-239-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-240-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-241-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-242-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-243-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-244-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-245-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-246-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4764-247-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download