hawkeye | 5eba0fc4031786d1d2744beace12ab4116df7ce799c85a72087996d6013dc0a9

Analysis

max time kernel
449s
max time network
356s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pizoooooooooon.exe
Size

469KB
MD5

edbc5efff13abc4bbbe32422508f413c
SHA1

53aaa3aee4fca7bee5381040878fb752d606a9fd
SHA256

5eba0fc4031786d1d2744beace12ab4116df7ce799c85a72087996d6013dc0a9
SHA512

4eb254d3acf692ea8267db2db519beb3e7c052c70ffa3498fc4cedfed4e935bb6e61984b1638bfcc7e52876b9f981ec4a2831f1fcf53a7ce6898e71657d03af9
SSDEEP

12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSPn9:uiLJbpI7I2WhQqZ7P9

Score

10^/10

hawkeye remcos remotehost discovery evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

items-jeffrey.gl.at.ply.gg:58427

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
system.exe
copy_folder
Remcos
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B5GG3O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Hawkeye family
hawkeye
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

2576 WScript.exe
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

2592 system.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2804 cmd.exe
2804 cmd.exe

pid	process
2576	WScript.exe

pid	process
2592	system.exe

pid	process
2804	cmd.exe
2804	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pizoooooooooon.exesystem.exeiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	pizoooooooooon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	pizoooooooooon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Windows\\SysWOW64\\Remcos\\system.exe\""	iexplore.exe

Drops file in System32 directory 5 IoCs

Processes:

pizoooooooooon.exeiexplore.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Remcos\system.exe	pizoooooooooon.exe
File opened for modification	C:\Windows\SysWOW64\Remcos\system.exe	pizoooooooooon.exe
File opened for modification	C:\Windows\SysWOW64\Remcos	pizoooooooooon.exe
File opened for modification	C:\Windows\SysWOW64\Remcos	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\Remcos\system.exe	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

system.exeiexplore.exe

description	pid	process	target process
PID 2592 set thread context of 2600	2592	system.exe	iexplore.exe
PID 2600 set thread context of 1712	2600	iexplore.exe	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

dxdiag.exe

description ioc process

File opened for modification C:\Windows\INF\setupapi.app.log dxdiag.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeiexplore.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exepizoooooooooon.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pizoooooooooon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 34 IoCs

Processes:

dxdiag.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

2680 reg.exe
2136 reg.exe
2256 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dxdiag.exe

pid process

2880 dxdiag.exe
2880 dxdiag.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2600 iexplore.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

system.exeiexplore.exe

pid process

2592 system.exe
2600 iexplore.exe

pid	process
2680	reg.exe
2136	reg.exe
2256	reg.exe

pid	process
2880	dxdiag.exe
2880	dxdiag.exe

pid	process
2600	iexplore.exe

pid	process
2592	system.exe
2600	iexplore.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

dxdiag.exeiexplore.exe

description	pid	process
Token: SeRestorePrivilege	2880	dxdiag.exe
Token: SeRestorePrivilege	2880	dxdiag.exe
Token: SeRestorePrivilege	2880	dxdiag.exe
Token: SeRestorePrivilege	2880	dxdiag.exe
Token: SeRestorePrivilege	2880	dxdiag.exe
Token: SeRestorePrivilege	2880	dxdiag.exe
Token: SeRestorePrivilege	2880	dxdiag.exe
Token: SeShutdownPrivilege	2600	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

iexplore.exedxdiag.exe

pid process

2600 iexplore.exe
2880 dxdiag.exe

pid	process
2600	iexplore.exe
2880	dxdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pizoooooooooon.execmd.exeWScript.execmd.exesystem.exeiexplore.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2780 wrote to memory of 2800	2780	pizoooooooooon.exe	cmd.exe
PID 2780 wrote to memory of 2800	2780	pizoooooooooon.exe	cmd.exe
PID 2780 wrote to memory of 2800	2780	pizoooooooooon.exe	cmd.exe
PID 2780 wrote to memory of 2800	2780	pizoooooooooon.exe	cmd.exe
PID 2800 wrote to memory of 2680	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 2680	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 2680	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 2680	2800	cmd.exe	reg.exe
PID 2780 wrote to memory of 2576	2780	pizoooooooooon.exe	WScript.exe
PID 2780 wrote to memory of 2576	2780	pizoooooooooon.exe	WScript.exe
PID 2780 wrote to memory of 2576	2780	pizoooooooooon.exe	WScript.exe
PID 2780 wrote to memory of 2576	2780	pizoooooooooon.exe	WScript.exe
PID 2576 wrote to memory of 2804	2576	WScript.exe	cmd.exe
PID 2576 wrote to memory of 2804	2576	WScript.exe	cmd.exe
PID 2576 wrote to memory of 2804	2576	WScript.exe	cmd.exe
PID 2576 wrote to memory of 2804	2576	WScript.exe	cmd.exe
PID 2804 wrote to memory of 2592	2804	cmd.exe	system.exe
PID 2804 wrote to memory of 2592	2804	cmd.exe	system.exe
PID 2804 wrote to memory of 2592	2804	cmd.exe	system.exe
PID 2804 wrote to memory of 2592	2804	cmd.exe	system.exe
PID 2592 wrote to memory of 2588	2592	system.exe	cmd.exe
PID 2592 wrote to memory of 2588	2592	system.exe	cmd.exe
PID 2592 wrote to memory of 2588	2592	system.exe	cmd.exe
PID 2592 wrote to memory of 2588	2592	system.exe	cmd.exe
PID 2592 wrote to memory of 2600	2592	system.exe	iexplore.exe
PID 2592 wrote to memory of 2600	2592	system.exe	iexplore.exe
PID 2592 wrote to memory of 2600	2592	system.exe	iexplore.exe
PID 2592 wrote to memory of 2600	2592	system.exe	iexplore.exe
PID 2592 wrote to memory of 2600	2592	system.exe	iexplore.exe
PID 2600 wrote to memory of 1864	2600	iexplore.exe	cmd.exe
PID 2600 wrote to memory of 1864	2600	iexplore.exe	cmd.exe
PID 2600 wrote to memory of 1864	2600	iexplore.exe	cmd.exe
PID 2600 wrote to memory of 1864	2600	iexplore.exe	cmd.exe
PID 2588 wrote to memory of 2136	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2136	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2136	2588	cmd.exe	reg.exe
PID 2588 wrote to memory of 2136	2588	cmd.exe	reg.exe
PID 2600 wrote to memory of 1712	2600	iexplore.exe	svchost.exe
PID 2600 wrote to memory of 1712	2600	iexplore.exe	svchost.exe
PID 2600 wrote to memory of 1712	2600	iexplore.exe	svchost.exe
PID 2600 wrote to memory of 1712	2600	iexplore.exe	svchost.exe
PID 2600 wrote to memory of 1712	2600	iexplore.exe	svchost.exe
PID 1864 wrote to memory of 2256	1864	cmd.exe	reg.exe
PID 1864 wrote to memory of 2256	1864	cmd.exe	reg.exe
PID 1864 wrote to memory of 2256	1864	cmd.exe	reg.exe
PID 1864 wrote to memory of 2256	1864	cmd.exe	reg.exe
PID 2600 wrote to memory of 2880	2600	iexplore.exe	dxdiag.exe
PID 2600 wrote to memory of 2880	2600	iexplore.exe	dxdiag.exe
PID 2600 wrote to memory of 2880	2600	iexplore.exe	dxdiag.exe
PID 2600 wrote to memory of 2880	2600	iexplore.exe	dxdiag.exe
PID 2600 wrote to memory of 760	2600	iexplore.exe	cmd.exe
PID 2600 wrote to memory of 760	2600	iexplore.exe	cmd.exe
PID 2600 wrote to memory of 760	2600	iexplore.exe	cmd.exe
PID 2600 wrote to memory of 760	2600	iexplore.exe	cmd.exe
PID 760 wrote to memory of 2144	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 2144	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 2144	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 2144	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 944	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 944	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 944	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 944	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 2080	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 2080	760	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\pizoooooooooon.exe
"C:\Users\Admin\AppData\Local\Temp\pizoooooooooon.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\Remcos\system.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\Remcos\system.exe
      C:\Windows\SysWOW64\Remcos\system.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:2136
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:2256
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        
        PID:1712
      - C:\Windows\SysWOW64\dxdiag.exe
        
        "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
        6⤵
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2880
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DONT OPEN BOMB.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7416
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:9064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:9480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:10624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:11800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:11836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:12484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12656
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:12892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:12940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13148
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13272
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13292
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:12284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13404
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14192
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12724
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14244
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15940
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15328
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16984
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17180
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17496
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17668
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17692
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18024
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18212
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18280
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18336
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18168
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18384
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18440
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18464
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18540
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18912
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18988
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19184
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19248
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19284
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19320
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:17884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14004
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13624
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14008
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18792
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:16460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14160
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14468
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15124
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14308
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:19444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14344
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:12804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:18436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14332
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14428
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14480
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14644
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14980
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15204
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14620
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14824
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15316
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15020
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:13632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15176
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:15016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        7⤵
        
        PID:14884
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\uxakbwdxiw.vbs"
        6⤵
        
        PID:16460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:16496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DONT OPEN BOMB.bat

Filesize
161B

MD5
82df6e9c10282d9c13af14bbae6626a5

SHA1
16d081d5cb44cb894c95ba41601b6e7a83587e25

SHA256
dd571f70b0843ead4deac4dbcefa959fb1b37fbe61d7e44600d606c136959c58

SHA512
75aa9554c6f16368b4993e2fcae76f551603a9c99263cd6de6a59398564aaee9047e6caddc040075b9be0e4ded6192ed95fd40662c10ea00d6025bf568e0a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
536B

MD5
7b0c565618383b9ffeea6461bd3e8639

SHA1
02f543d75c0d89fec1d366a219369e3eb7efdc27

SHA256
f37608aab9baeae29764a508225a532df88565d605596553c70e1a29702fa2ba

SHA512
73a4e469b220afa5da5342d37c896964bd36c4be5f26e478ee18aedddd6e65a44e212dd10a0c579ae139591197b7c395b8edfdd50252eb71b86ad7b603eacd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

Filesize
15KB

MD5
94d47c04becf09ee3c794ff46743b9c9

SHA1
f246bdbfc91ad6d2cc1af13b3027ff9a138b9210

SHA256
65bde724dc6775a72fbd2da771ca40f4b1eca569e282510c7a677acb5ba74f55

SHA512
47affc5e00da5c194d7fc7ea36c9fcedfe317d3a382e77ecc40b8b76d6f840f5f36d30c64eef4fb2d6721bbc61b59e623153ca3c2ce244ecbd1dd618f98cac97

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxakbwdxiw.vbs

Filesize
560B

MD5
c0add116e665aca2f04ed038c6399441

SHA1
3bff7d3fb255ad159c9aee36f5c10a73c8bc3596

SHA256
daecfdf55ec8f0726e6b69ff85a25baf4b8287d93113a3aa5b3ecd272839daa6

SHA512
02d41f91d6ced10b2735b065db3c88569e14ea781a666016a644c7a7269fce12abbe004faa06fba966bb655ba74a3b2ff36ec0cd4153a4a8989a2c82f56e958a

Download Submit
C:\Windows\SysWOW64\Remcos\system.exe

Filesize
469KB

MD5
edbc5efff13abc4bbbe32422508f413c

SHA1
53aaa3aee4fca7bee5381040878fb752d606a9fd

SHA256
5eba0fc4031786d1d2744beace12ab4116df7ce799c85a72087996d6013dc0a9

SHA512
4eb254d3acf692ea8267db2db519beb3e7c052c70ffa3498fc4cedfed4e935bb6e61984b1638bfcc7e52876b9f981ec4a2831f1fcf53a7ce6898e71657d03af9

Download Submit
memory/1712-20-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/1712-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1712-21-0x0000000000140000-0x00000000001BF000-memory.dmp

Filesize
508KB

Download
memory/2600-62-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-96-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-22-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-23-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-24-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-26-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-25-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-31-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-32-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-33-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-35-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-36-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-11-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-112-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-117-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-109-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-108-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-105-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-102-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-101-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-100-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-99-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-16-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-12-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-64-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-67-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-68-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-69-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-70-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-71-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-73-0x0000000010000000-0x000000001005F000-memory.dmp

Filesize
380KB

Download
memory/2600-76-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-72-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-88-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-89-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-90-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-91-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-92-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-95-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-15-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-97-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2600-98-0x0000000000180000-0x00000000001FF000-memory.dmp

Filesize
508KB

Download
memory/2880-60-0x0000000001EA0000-0x0000000001ECA000-memory.dmp

Filesize
168KB

Download
memory/2880-56-0x0000000001EA0000-0x0000000001ECA000-memory.dmp

Filesize
168KB

Download
memory/2880-57-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/2880-59-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/2880-53-0x0000000002550000-0x00000000025AC000-memory.dmp

Filesize
368KB

Download
memory/2880-54-0x0000000002550000-0x00000000025AC000-memory.dmp

Filesize
368KB

Download
memory/2880-51-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/2880-52-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/2880-37-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/2880-38-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download