1330dcb4011158dc784d9a9b6947b9ad2ca3954a54e2ea414a59c00d4d3c0c9d

Analysis

max time kernel
65s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cool_Truc.bat
Size

35B
MD5

830ffd545763353c6599ce33441db524
SHA1

9c9f5701614a857c0248f37eb4df82051039f277
SHA256

1330dcb4011158dc784d9a9b6947b9ad2ca3954a54e2ea414a59c00d4d3c0c9d
SHA512

39278bc680d6ac8fbd89946eca1184aacce0fbfc5681727f9413b9f65c0ee537656f7d35b72c9ee74cae2ab471cb8a33d163bb3f21a167d7fb39bf0470604f83

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	11852	dwm.exe
Token: SeChangeNotifyPrivilege	11852	dwm.exe
Token: 33	11852	dwm.exe
Token: SeIncBasePriorityPrivilege	11852	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
14292	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 3736	64	cmd.exe	85
PID 64 wrote to memory of 3736	64	cmd.exe	85
PID 64 wrote to memory of 1400	64	cmd.exe	87
PID 64 wrote to memory of 1400	64	cmd.exe	87
PID 3736 wrote to memory of 2104	3736	cmd.exe	89
PID 3736 wrote to memory of 2104	3736	cmd.exe	89
PID 3736 wrote to memory of 2524	3736	cmd.exe	90
PID 3736 wrote to memory of 2524	3736	cmd.exe	90
PID 1400 wrote to memory of 3708	1400	cmd.exe	93
PID 1400 wrote to memory of 3708	1400	cmd.exe	93
PID 1400 wrote to memory of 856	1400	cmd.exe	94
PID 1400 wrote to memory of 856	1400	cmd.exe	94
PID 2524 wrote to memory of 4712	2524	cmd.exe	97
PID 2524 wrote to memory of 4712	2524	cmd.exe	97
PID 2524 wrote to memory of 60	2524	cmd.exe	98
PID 2524 wrote to memory of 60	2524	cmd.exe	98
PID 856 wrote to memory of 1704	856	cmd.exe	101
PID 856 wrote to memory of 1704	856	cmd.exe	101
PID 856 wrote to memory of 1388	856	cmd.exe	102
PID 856 wrote to memory of 1388	856	cmd.exe	102
PID 3708 wrote to memory of 5048	3708	cmd.exe	105
PID 3708 wrote to memory of 5048	3708	cmd.exe	105
PID 3708 wrote to memory of 2324	3708	cmd.exe	106
PID 3708 wrote to memory of 2324	3708	cmd.exe	106
PID 2104 wrote to memory of 2176	2104	cmd.exe	107
PID 2104 wrote to memory of 2176	2104	cmd.exe	107
PID 2104 wrote to memory of 3360	2104	cmd.exe	111
PID 2104 wrote to memory of 3360	2104	cmd.exe	111
PID 60 wrote to memory of 2240	60	cmd.exe	113
PID 60 wrote to memory of 2240	60	cmd.exe	113
PID 60 wrote to memory of 1756	60	cmd.exe	114
PID 60 wrote to memory of 1756	60	cmd.exe	114
PID 4712 wrote to memory of 4180	4712	cmd.exe	117
PID 4712 wrote to memory of 4180	4712	cmd.exe	117
PID 4712 wrote to memory of 3672	4712	cmd.exe	119
PID 4712 wrote to memory of 3672	4712	cmd.exe	119
PID 5048 wrote to memory of 4000	5048	cmd.exe	121
PID 5048 wrote to memory of 4000	5048	cmd.exe	121
PID 5048 wrote to memory of 3520	5048	cmd.exe	122
PID 5048 wrote to memory of 3520	5048	cmd.exe	122
PID 2324 wrote to memory of 4080	2324	cmd.exe	124
PID 2324 wrote to memory of 4080	2324	cmd.exe	124
PID 1704 wrote to memory of 3912	1704	cmd.exe	127
PID 1704 wrote to memory of 3912	1704	cmd.exe	127
PID 2176 wrote to memory of 1620	2176	cmd.exe	129
PID 2176 wrote to memory of 1620	2176	cmd.exe	129
PID 1756 wrote to memory of 1480	1756	cmd.exe	132
PID 1756 wrote to memory of 1480	1756	cmd.exe	132
PID 2324 wrote to memory of 2788	2324	cmd.exe	131
PID 2324 wrote to memory of 2788	2324	cmd.exe	131
PID 2240 wrote to memory of 3772	2240	cmd.exe	133
PID 2240 wrote to memory of 3772	2240	cmd.exe	133
PID 1388 wrote to memory of 2940	1388	cmd.exe	135
PID 1388 wrote to memory of 2940	1388	cmd.exe	135
PID 1704 wrote to memory of 4360	1704	cmd.exe	136
PID 1704 wrote to memory of 4360	1704	cmd.exe	136
PID 1388 wrote to memory of 980	1388	cmd.exe	140
PID 1388 wrote to memory of 980	1388	cmd.exe	140
PID 3360 wrote to memory of 4544	3360	cmd.exe	143
PID 3360 wrote to memory of 4544	3360	cmd.exe	143
PID 2176 wrote to memory of 1164	2176	cmd.exe	144
PID 2176 wrote to memory of 1164	2176	cmd.exe	144
PID 1756 wrote to memory of 1664	1756	cmd.exe	147
PID 1756 wrote to memory of 1664	1756	cmd.exe	147

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:1620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:3344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12168
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:1164
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:4796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:8760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:4544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:8356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:9020
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:1668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:8312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:9164
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:6128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:4180
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:4228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:5488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:7980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:5840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:7888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:11940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8296
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:13244
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:3672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:3864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:10796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        10⤵
        
        PID:12448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        10⤵
        
        PID:12464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:10804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:4324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:3772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:3144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:6192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:7820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:8848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:6456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:7968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        10⤵
        
        PID:13016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:9884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        10⤵
        
        PID:12884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:4456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:4176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:7116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        10⤵
        
        PID:11108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        10⤵
        
        PID:12120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:7124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        10⤵
        
        PID:11236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        11⤵
        
        PID:11136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        11⤵
        
        PID:13156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        10⤵
        
        PID:11304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:6368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:8952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:8284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        10⤵
        
        PID:12600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:5932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:7932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:7952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:11956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8864
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:1480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:2100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:6780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:9892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:9396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:6624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:5560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:11288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:5180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:7088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:11068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:7856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:1664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:5800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:10780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:10788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:1252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:4000
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:5832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:5704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:7176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:12492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:4460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:3520
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12704
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:8660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:4080
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11192
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:8088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:8604
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:2788
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:4060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:11712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:11116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:11596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12104
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:3912
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12048
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:8096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:4360
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:2572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12856
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        9⤵
        
        PID:12872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:2940
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:8832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:6632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:9828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:10984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11988
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        5⤵
        
        PID:980
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5264
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:6720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:7140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:11196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        8⤵
        
        PID:12276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        6⤵
        
        PID:5680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:8448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Cool_Truc.bat
        7⤵
        
        PID:9180

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:11852

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:14224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3736-3-0x00007FF732940000-0x00007FF7329A7000-memory.dmp

Filesize
412KB

Download
memory/11196-2-0x00007FF732940000-0x00007FF7329A7000-memory.dmp

Filesize
412KB

Download
memory/12448-1-0x00007FF732940000-0x00007FF7329A7000-memory.dmp

Filesize
412KB

Download
memory/14292-10-0x000002731D7B0000-0x000002731D7D0000-memory.dmp

Filesize
128KB

Download
memory/14292-41-0x000002731DC10000-0x000002731DC30000-memory.dmp

Filesize
128KB

Download
memory/14292-40-0x000002731D770000-0x000002731D790000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads