3f8681da6b6677333cefcc87bd7850d05e34eb4f9e287762b7a4e1349053fb1c

Analysis

max time kernel
95s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69f0067aca1dfc97b3b8beabab998ad9_JaffaCakes118.exe
Size

172KB
MD5

69f0067aca1dfc97b3b8beabab998ad9
SHA1

d0d5ea8b2b7033c80017ca5b0cd6018d8f837873
SHA256

3f8681da6b6677333cefcc87bd7850d05e34eb4f9e287762b7a4e1349053fb1c
SHA512

e01db396040fd4515b4bf8f34afd1540ce6610a8abbf89141a74e5f216a538cf6e73992765c2a146dbe362a8eb3b4ae2b2ee94f705bfd91f1ee15f06a16ba7e0
SSDEEP

3072:f3MVwf8KoutpKYyI/rbCEBTqshbd9cmVQLVJ8lrASMZR5iFWMt/pf:f3MVu8KoSpKYx/Lh/0HLyJp

Score

8^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
43	2512	Process not Found

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	systcontrl.exe

Executes dropped EXE 64 IoCs

pid	Process
3020	systcontrl.exe
2140	systcontrl.exe
2356	systcontrl.exe
2452	systcontrl.exe
4680	systcontrl.exe
2912	systcontrl.exe
5016	systcontrl.exe
412	systcontrl.exe
3484	systcontrl.exe
4560	systcontrl.exe
4212	systcontrl.exe
2060	systcontrl.exe
1328	systcontrl.exe
220	systcontrl.exe
4956	systcontrl.exe
856	systcontrl.exe
1464	systcontrl.exe
3224	systcontrl.exe
3868	systcontrl.exe
1436	systcontrl.exe
5088	systcontrl.exe
4164	systcontrl.exe
3496	systcontrl.exe
3172	systcontrl.exe
4532	systcontrl.exe
512	systcontrl.exe
376	systcontrl.exe
3192	systcontrl.exe
5028	systcontrl.exe
1952	systcontrl.exe
2844	systcontrl.exe
4476	systcontrl.exe
4736	systcontrl.exe
1020	systcontrl.exe
852	systcontrl.exe
228	systcontrl.exe
3752	systcontrl.exe
3556	systcontrl.exe
380	systcontrl.exe
376	systcontrl.exe
3192	systcontrl.exe
5028	systcontrl.exe
1952	systcontrl.exe
3468	systcontrl.exe
2900	systcontrl.exe
4664	systcontrl.exe
2636	systcontrl.exe
852	systcontrl.exe
4252	systcontrl.exe
948	systcontrl.exe
4540	systcontrl.exe
380	systcontrl.exe
2004	systcontrl.exe
4124	systcontrl.exe
3224	systcontrl.exe
4448	systcontrl.exe
4276	systcontrl.exe
860	systcontrl.exe
2936	systcontrl.exe
1700	systcontrl.exe
4140	systcontrl.exe
412	systcontrl.exe
1752	systcontrl.exe
4716	systcontrl.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3636-0-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/files/0x000800000002325a-5.dat	upx
behavioral2/memory/3020-34-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/852-71-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral2/memory/3464-73-0x0000000000400000-0x000000000042C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System-Control Drivers = "systcontrl.exe"	systcontrl.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File created	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe
File opened for modification	C:\Windows\SysWOW64\systcontrl.exe	systcontrl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systcontrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	systcontrl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3636	69f0067aca1dfc97b3b8beabab998ad9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3020	systcontrl.exe
Token: SeIncBasePriorityPrivilege	2140	systcontrl.exe
Token: SeIncBasePriorityPrivilege	2356	systcontrl.exe
Token: SeIncBasePriorityPrivilege	2452	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4680	systcontrl.exe
Token: SeIncBasePriorityPrivilege	2912	systcontrl.exe
Token: SeIncBasePriorityPrivilege	5016	systcontrl.exe
Token: SeIncBasePriorityPrivilege	412	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3484	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4560	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4212	systcontrl.exe
Token: SeIncBasePriorityPrivilege	2060	systcontrl.exe
Token: SeIncBasePriorityPrivilege	1328	systcontrl.exe
Token: SeIncBasePriorityPrivilege	220	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4956	systcontrl.exe
Token: SeIncBasePriorityPrivilege	856	systcontrl.exe
Token: SeIncBasePriorityPrivilege	1464	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3224	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3868	systcontrl.exe
Token: SeIncBasePriorityPrivilege	1436	systcontrl.exe
Token: SeIncBasePriorityPrivilege	5088	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4164	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3496	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3172	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4532	systcontrl.exe
Token: SeIncBasePriorityPrivilege	512	systcontrl.exe
Token: SeIncBasePriorityPrivilege	376	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3192	systcontrl.exe
Token: SeIncBasePriorityPrivilege	5028	systcontrl.exe
Token: SeIncBasePriorityPrivilege	1952	systcontrl.exe
Token: SeIncBasePriorityPrivilege	2844	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4476	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4736	systcontrl.exe
Token: SeIncBasePriorityPrivilege	1020	systcontrl.exe
Token: SeIncBasePriorityPrivilege	852	systcontrl.exe
Token: SeIncBasePriorityPrivilege	228	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3752	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3556	systcontrl.exe
Token: SeIncBasePriorityPrivilege	380	systcontrl.exe
Token: SeIncBasePriorityPrivilege	376	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3192	systcontrl.exe
Token: SeIncBasePriorityPrivilege	5028	systcontrl.exe
Token: SeIncBasePriorityPrivilege	1952	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3468	systcontrl.exe
Token: SeIncBasePriorityPrivilege	2900	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4664	systcontrl.exe
Token: SeIncBasePriorityPrivilege	2636	systcontrl.exe
Token: SeIncBasePriorityPrivilege	852	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4252	systcontrl.exe
Token: SeIncBasePriorityPrivilege	948	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4540	systcontrl.exe
Token: SeIncBasePriorityPrivilege	380	systcontrl.exe
Token: SeIncBasePriorityPrivilege	2004	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4124	systcontrl.exe
Token: SeIncBasePriorityPrivilege	3224	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4448	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4276	systcontrl.exe
Token: SeIncBasePriorityPrivilege	860	systcontrl.exe
Token: SeIncBasePriorityPrivilege	2936	systcontrl.exe
Token: SeIncBasePriorityPrivilege	1700	systcontrl.exe
Token: SeIncBasePriorityPrivilege	4140	systcontrl.exe
Token: SeIncBasePriorityPrivilege	412	systcontrl.exe
Token: SeIncBasePriorityPrivilege	1752	systcontrl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 3020	3636	69f0067aca1dfc97b3b8beabab998ad9_JaffaCakes118.exe	86
PID 3636 wrote to memory of 3020	3636	69f0067aca1dfc97b3b8beabab998ad9_JaffaCakes118.exe	86
PID 3636 wrote to memory of 3020	3636	69f0067aca1dfc97b3b8beabab998ad9_JaffaCakes118.exe	86
PID 3636 wrote to memory of 220	3636	69f0067aca1dfc97b3b8beabab998ad9_JaffaCakes118.exe	87
PID 3636 wrote to memory of 220	3636	69f0067aca1dfc97b3b8beabab998ad9_JaffaCakes118.exe	87
PID 3636 wrote to memory of 220	3636	69f0067aca1dfc97b3b8beabab998ad9_JaffaCakes118.exe	87
PID 3020 wrote to memory of 2140	3020	systcontrl.exe	91
PID 3020 wrote to memory of 2140	3020	systcontrl.exe	91
PID 3020 wrote to memory of 2140	3020	systcontrl.exe	91
PID 3020 wrote to memory of 3384	3020	systcontrl.exe	92
PID 3020 wrote to memory of 3384	3020	systcontrl.exe	92
PID 3020 wrote to memory of 3384	3020	systcontrl.exe	92
PID 2140 wrote to memory of 2356	2140	systcontrl.exe	94
PID 2140 wrote to memory of 2356	2140	systcontrl.exe	94
PID 2140 wrote to memory of 2356	2140	systcontrl.exe	94
PID 2140 wrote to memory of 4056	2140	systcontrl.exe	95
PID 2140 wrote to memory of 4056	2140	systcontrl.exe	95
PID 2140 wrote to memory of 4056	2140	systcontrl.exe	95
PID 2356 wrote to memory of 2452	2356	systcontrl.exe	97
PID 2356 wrote to memory of 2452	2356	systcontrl.exe	97
PID 2356 wrote to memory of 2452	2356	systcontrl.exe	97
PID 2356 wrote to memory of 4324	2356	systcontrl.exe	98
PID 2356 wrote to memory of 4324	2356	systcontrl.exe	98
PID 2356 wrote to memory of 4324	2356	systcontrl.exe	98
PID 2452 wrote to memory of 4680	2452	systcontrl.exe	100
PID 2452 wrote to memory of 4680	2452	systcontrl.exe	100
PID 2452 wrote to memory of 4680	2452	systcontrl.exe	100
PID 2452 wrote to memory of 988	2452	systcontrl.exe	101
PID 2452 wrote to memory of 988	2452	systcontrl.exe	101
PID 2452 wrote to memory of 988	2452	systcontrl.exe	101
PID 4680 wrote to memory of 2912	4680	systcontrl.exe	102
PID 4680 wrote to memory of 2912	4680	systcontrl.exe	102
PID 4680 wrote to memory of 2912	4680	systcontrl.exe	102
PID 4680 wrote to memory of 1568	4680	systcontrl.exe	103
PID 4680 wrote to memory of 1568	4680	systcontrl.exe	103
PID 4680 wrote to memory of 1568	4680	systcontrl.exe	103
PID 2912 wrote to memory of 5016	2912	systcontrl.exe	106
PID 2912 wrote to memory of 5016	2912	systcontrl.exe	106
PID 2912 wrote to memory of 5016	2912	systcontrl.exe	106
PID 2912 wrote to memory of 1540	2912	systcontrl.exe	107
PID 2912 wrote to memory of 1540	2912	systcontrl.exe	107
PID 2912 wrote to memory of 1540	2912	systcontrl.exe	107
PID 5016 wrote to memory of 412	5016	systcontrl.exe	109
PID 5016 wrote to memory of 412	5016	systcontrl.exe	109
PID 5016 wrote to memory of 412	5016	systcontrl.exe	109
PID 5016 wrote to memory of 2764	5016	systcontrl.exe	110
PID 5016 wrote to memory of 2764	5016	systcontrl.exe	110
PID 5016 wrote to memory of 2764	5016	systcontrl.exe	110
PID 412 wrote to memory of 3484	412	systcontrl.exe	112
PID 412 wrote to memory of 3484	412	systcontrl.exe	112
PID 412 wrote to memory of 3484	412	systcontrl.exe	112
PID 412 wrote to memory of 1804	412	systcontrl.exe	113
PID 412 wrote to memory of 1804	412	systcontrl.exe	113
PID 412 wrote to memory of 1804	412	systcontrl.exe	113
PID 3484 wrote to memory of 4560	3484	systcontrl.exe	115
PID 3484 wrote to memory of 4560	3484	systcontrl.exe	115
PID 3484 wrote to memory of 4560	3484	systcontrl.exe	115
PID 3484 wrote to memory of 3172	3484	systcontrl.exe	161
PID 3484 wrote to memory of 3172	3484	systcontrl.exe	161
PID 3484 wrote to memory of 3172	3484	systcontrl.exe	161
PID 4560 wrote to memory of 4212	4560	systcontrl.exe	118
PID 4560 wrote to memory of 4212	4560	systcontrl.exe	118
PID 4560 wrote to memory of 4212	4560	systcontrl.exe	118
PID 4560 wrote to memory of 4528	4560	systcontrl.exe	119

C:\Users\Admin\AppData\Local\Temp\69f0067aca1dfc97b3b8beabab998ad9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69f0067aca1dfc97b3b8beabab998ad9_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\SysWOW64\systcontrl.exe
  "C:\Windows\system32\systcontrl.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\systcontrl.exe
    "C:\Windows\system32\systcontrl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\systcontrl.exe
      "C:\Windows\system32\systcontrl.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:512
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        30⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        61⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        65⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        66⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        67⤵
        Drops file in System32 directory
        
        PID:1232
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        68⤵
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        69⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        70⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        71⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        72⤵
        Adds Run key to start application
        
        PID:3468
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        74⤵
        Adds Run key to start application
        
        PID:5056
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        76⤵
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        77⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        78⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        79⤵
        Adds Run key to start application
        
        PID:3508
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        80⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        81⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        82⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        83⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        84⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        85⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        86⤵
        Checks computer location settings
        
        PID:4328
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        87⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        88⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        90⤵
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        91⤵
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        92⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        93⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        94⤵
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        95⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        96⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:332
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        97⤵
        Checks computer location settings
        
        PID:4132
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        98⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3984
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        99⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        100⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        102⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        103⤵
        Adds Run key to start application
        
        PID:828
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        104⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        105⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        106⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        107⤵
        Checks computer location settings
        
        PID:4504
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        108⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1812
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        109⤵
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        110⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        111⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        112⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        114⤵
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        115⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3356
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        116⤵
        Checks computer location settings
        
        PID:2956
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        118⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        119⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        120⤵
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        121⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        122⤵
        Checks computer location settings
        
        PID:4484
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        123⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        124⤵
        Checks computer location settings
        
        PID:1476
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        125⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        126⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        127⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        128⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        129⤵
        
        PID:788
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        130⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        131⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        132⤵
        Adds Run key to start application
        
        PID:1412
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        133⤵
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        134⤵
        Adds Run key to start application
        
        PID:4536
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        135⤵
        Checks computer location settings
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        136⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        137⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        138⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2916
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        139⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        140⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        141⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        142⤵
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        143⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        144⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        145⤵
        Drops file in System32 directory
        
        PID:3684
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        146⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        147⤵
        Adds Run key to start application
        
        PID:5092
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        148⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1212
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        149⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        150⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        151⤵
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        152⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        153⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        154⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        155⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        156⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        157⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        158⤵
        Adds Run key to start application
        
        PID:2740
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        159⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1492
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        160⤵
        Adds Run key to start application
        
        PID:1772
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        161⤵
        Adds Run key to start application
        
        PID:4292
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        162⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        164⤵
        Checks computer location settings
        
        PID:3464
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        165⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        166⤵
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        167⤵
        Checks computer location settings
        
        PID:4048
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        168⤵
        Adds Run key to start application
        
        PID:5000
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        169⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        170⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        171⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        172⤵
        Checks computer location settings
        
        PID:3112
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        173⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        174⤵
        Adds Run key to start application
        
        PID:4492
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        175⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        176⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        177⤵
        Drops file in System32 directory
        
        PID:1836
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        178⤵
        Adds Run key to start application
        
        PID:4292
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        179⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        180⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        182⤵
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        183⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        185⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:5048
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        186⤵
        Adds Run key to start application
        
        PID:856
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        187⤵
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        188⤵
        Adds Run key to start application
        
        PID:4372
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        189⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        190⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        191⤵
        Checks computer location settings
        
        PID:2892
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        192⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        193⤵
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        194⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5088
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        195⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        196⤵
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        197⤵
        Checks computer location settings
        
        PID:2400
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        199⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        200⤵
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        201⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        202⤵
        Adds Run key to start application
        
        PID:3544
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        203⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        204⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        205⤵
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        206⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        207⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        208⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2468
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        209⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        210⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        211⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        212⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        213⤵
        Checks computer location settings
        
        PID:212
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        214⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        215⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        216⤵
        Checks computer location settings
        
        PID:4100
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        217⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        218⤵
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        220⤵
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        221⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        222⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        223⤵
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        224⤵
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        225⤵
        Checks computer location settings
        
        PID:4448
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        226⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        227⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        228⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        229⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        230⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        231⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        232⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        233⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        234⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        235⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        236⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        237⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        238⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        239⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        240⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        241⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        242⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        243⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        244⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        245⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        246⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        247⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        248⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        249⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        250⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        251⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        252⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        253⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        254⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        255⤵
        
        PID:332
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        256⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        257⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        258⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        259⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        260⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        261⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        262⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        263⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        264⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        265⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        266⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        267⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        268⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        269⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        270⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        271⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        272⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        273⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        274⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        275⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        276⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        277⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        278⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        279⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        280⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        281⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        282⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        283⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        284⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        285⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        286⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        287⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        288⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        289⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        290⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        291⤵
        
        PID:960
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        292⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        293⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        294⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        295⤵
        
        PID:692
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        296⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        297⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        298⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        299⤵
        
        PID:636
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        300⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        301⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        302⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        303⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        304⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        305⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        306⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        307⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        308⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        309⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        310⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        311⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        312⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        313⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        314⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        315⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        316⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        317⤵
        
        PID:392
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        318⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        319⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        320⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        321⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        322⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        323⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        324⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        325⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        326⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        327⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        328⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        329⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        330⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        331⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        332⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        333⤵
        
        PID:116
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        334⤵
        
        PID:404
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        335⤵
        
        PID:408
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        336⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        337⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        338⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        339⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        340⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        341⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        342⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        343⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        344⤵
        
        PID:512
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        345⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        346⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        347⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\systcontrl.exe
        
        "C:\Windows\system32\systcontrl.exe"
        348⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        348⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        347⤵
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        346⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        345⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        344⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        343⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        342⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        341⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        340⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        339⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        338⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        337⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        336⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        335⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        334⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        333⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        332⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        331⤵
        
        PID:1156
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        332⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        330⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        329⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        328⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        327⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        326⤵
        
        PID:2176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        327⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        325⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        324⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        323⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        322⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        321⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        320⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        319⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        318⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        317⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        316⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        315⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        314⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        313⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        314⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        312⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        311⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        310⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        309⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        308⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        307⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        306⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        305⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        304⤵
        
        PID:1432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        305⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        303⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        302⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        301⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        300⤵
        
        PID:4372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        301⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        299⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        298⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        297⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        296⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        295⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        294⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        293⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        292⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        291⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        290⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        289⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        288⤵
        
        PID:2552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        289⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        287⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        286⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        285⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        284⤵
        
        PID:3804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        285⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        283⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        282⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        281⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        280⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        279⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        278⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        277⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        276⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        275⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        274⤵
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        275⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        273⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        272⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        271⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        270⤵
        
        PID:1996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        271⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        269⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        268⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        267⤵
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        266⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        265⤵
        
        PID:2400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        266⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        264⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        263⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        262⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        261⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        260⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        259⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        258⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        259⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        257⤵
        
        PID:2432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        258⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        256⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        255⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        254⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        253⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        252⤵
        
        PID:728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        253⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        251⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        250⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        249⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        248⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        247⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        246⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        245⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        244⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        243⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        242⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        241⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        240⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        239⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        238⤵
        
        PID:1684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        237⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        236⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        235⤵
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        234⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        233⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        232⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        231⤵
        
        PID:4200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        232⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        230⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        229⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        228⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        227⤵
        
        PID:4440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        228⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        226⤵
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        225⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        224⤵
        
        PID:1904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        223⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        222⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        221⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        220⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        219⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        217⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        216⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        215⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        214⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        213⤵
        
        PID:1132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        214⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        212⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        211⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        210⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        208⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        207⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        206⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        205⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        203⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        202⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        201⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        200⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        199⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        198⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        197⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        195⤵
        
        PID:4736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        196⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        194⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        192⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        191⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        190⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        188⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        187⤵
        
        PID:3748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        188⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        186⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        185⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        186⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        183⤵
        
        PID:464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        184⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        182⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        181⤵
        
        PID:2404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        182⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        180⤵
        
        PID:828
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        178⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        177⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        176⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        175⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        174⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        173⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        172⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        171⤵
        
        PID:4112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        170⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        169⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        168⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        166⤵
        
        PID:4272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        165⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        164⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        163⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        162⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        161⤵
        
        PID:1488
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        162⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        159⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        158⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        157⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        156⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        155⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        154⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        153⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        152⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        150⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        149⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        148⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        147⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        145⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        144⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        143⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        142⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        141⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        140⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:1248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        140⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        138⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        137⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        136⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        135⤵
        
        PID:1716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        136⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        134⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        133⤵
        
        PID:3412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        132⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        130⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        129⤵
        
        PID:1836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        128⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        127⤵
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        128⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        126⤵
        
        PID:3700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        125⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        124⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        123⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        122⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        120⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        119⤵
        
        PID:4048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        120⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        118⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        118⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        116⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        115⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        114⤵
        
        PID:4700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        113⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        112⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        111⤵
        
        PID:4172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        112⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        110⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        109⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        108⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        107⤵
        
        PID:2524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        108⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        106⤵
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        105⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        106⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        104⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        102⤵
        
        PID:2444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        101⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        100⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        99⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        98⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        96⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        95⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        94⤵
        
        PID:3172
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        93⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        92⤵
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        91⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        90⤵
        
        PID:2400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        89⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        90⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        88⤵
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        87⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        86⤵
        
        PID:4656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        85⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        84⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        83⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        82⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        81⤵
        
        PID:2376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        82⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        80⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        79⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        78⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        77⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        76⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        75⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        73⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        72⤵
        
        PID:4404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        71⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        69⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        68⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        67⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        66⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        65⤵
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        64⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        64⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        62⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        61⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        60⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        58⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        57⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        56⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        55⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        54⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        53⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        52⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        50⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        49⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        48⤵
        
        PID:32
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        47⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        46⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        45⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        43⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        42⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        41⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        40⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        39⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        38⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        37⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        36⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        35⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        34⤵
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        33⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        32⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        31⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        29⤵
        
        PID:692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        28⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        27⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        26⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        25⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        24⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        23⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        22⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        21⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        20⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        19⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        18⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        17⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        16⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        15⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        13⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        12⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        10⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        9⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        7⤵
        
        PID:1568
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        6⤵
        
        PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
        5⤵
        
        PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\SYSTCO~1.EXE > nul
    3⤵
    PID:3384
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\69F006~1.EXE > nul
  2⤵
  PID:220

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2280

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:5004

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\systcontrl.exe

Filesize
172KB

MD5
69f0067aca1dfc97b3b8beabab998ad9

SHA1
d0d5ea8b2b7033c80017ca5b0cd6018d8f837873

SHA256
3f8681da6b6677333cefcc87bd7850d05e34eb4f9e287762b7a4e1349053fb1c

SHA512
e01db396040fd4515b4bf8f34afd1540ce6610a8abbf89141a74e5f216a538cf6e73992765c2a146dbe362a8eb3b4ae2b2ee94f705bfd91f1ee15f06a16ba7e0

Download Submit
memory/852-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3020-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3464-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3636-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads