9004f25fbea15ef0966cfe9a718f434cd3cd2ea661fc0d9ebc4f81cb4978b7dc

Analysis

max time kernel
16s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 17:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

aiiiii4.exe
Size

1.2MB
MD5

52569dba8405b0c238e26eec935fe552
SHA1

78e4d75bf52a680620791c6621e5ce52bad7b388
SHA256

9004f25fbea15ef0966cfe9a718f434cd3cd2ea661fc0d9ebc4f81cb4978b7dc
SHA512

b43531eb3eb038a59ee76843783213b58d1619f672ed5f28b0cdc559920422c4d1412fa57cf360730da28e04654b0134602aac2ff1538cb9d2372a6d42a9f2b5
SSDEEP

12288:Diambp4B77+dBX6k1XCwDHB4p2eiLTsyaPxzldwiXhnv+jcFb+EFfQqE10:mbp4B77+dBX6klNDhgdHGjcFb+4

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	aiiiii4.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aiiiii4.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%tempfile%	cmd.exe
File opened for modification	C:\Windows\System32\%tempfile%	cmd.exe
File opened for modification	C:\Windows\System32\%tempfile%	cmd.exe
File opened for modification	C:\Windows\System32\%tempfile%	cmd.exe
File created	C:\Windows\System32\%tempfile%	cmd.exe
File opened for modification	C:\Windows\System32\%tempfile%	cmd.exe
File opened for modification	C:\Windows\System32\%tempfile%	cmd.exe
File created	C:\Windows\System32\%tempfile%	cmd.exe
File opened for modification	C:\Windows\System32\%tempfile%	cmd.exe
File opened for modification	C:\Windows\System32\%tempfile%	cmd.exe
File opened for modification	C:\Windows\System32\%tempfile%	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4956	4232	aiiiii4.exe	105
PID 4232 wrote to memory of 4956	4232	aiiiii4.exe	105
PID 4232 wrote to memory of 432	4232	aiiiii4.exe	107
PID 4232 wrote to memory of 432	4232	aiiiii4.exe	107
PID 4232 wrote to memory of 2760	4232	aiiiii4.exe	109
PID 4232 wrote to memory of 2760	4232	aiiiii4.exe	109
PID 4232 wrote to memory of 4476	4232	aiiiii4.exe	111
PID 4232 wrote to memory of 4476	4232	aiiiii4.exe	111
PID 4232 wrote to memory of 1204	4232	aiiiii4.exe	113
PID 4232 wrote to memory of 1204	4232	aiiiii4.exe	113
PID 4232 wrote to memory of 2120	4232	aiiiii4.exe	115
PID 4232 wrote to memory of 2120	4232	aiiiii4.exe	115
PID 4232 wrote to memory of 4820	4232	aiiiii4.exe	117
PID 4232 wrote to memory of 4820	4232	aiiiii4.exe	117
PID 4232 wrote to memory of 2380	4232	aiiiii4.exe	119
PID 4232 wrote to memory of 2380	4232	aiiiii4.exe	119
PID 4232 wrote to memory of 3064	4232	aiiiii4.exe	121
PID 4232 wrote to memory of 3064	4232	aiiiii4.exe	121
PID 4232 wrote to memory of 4924	4232	aiiiii4.exe	123
PID 4232 wrote to memory of 4924	4232	aiiiii4.exe	123
PID 4232 wrote to memory of 4072	4232	aiiiii4.exe	125
PID 4232 wrote to memory of 4072	4232	aiiiii4.exe	125
PID 4232 wrote to memory of 2024	4232	aiiiii4.exe	127
PID 4232 wrote to memory of 2024	4232	aiiiii4.exe	127
PID 4232 wrote to memory of 592	4232	aiiiii4.exe	129
PID 4232 wrote to memory of 592	4232	aiiiii4.exe	129
PID 4232 wrote to memory of 4992	4232	aiiiii4.exe	131
PID 4232 wrote to memory of 4992	4232	aiiiii4.exe	131
PID 4232 wrote to memory of 4380	4232	aiiiii4.exe	133
PID 4232 wrote to memory of 4380	4232	aiiiii4.exe	133
PID 4232 wrote to memory of 4796	4232	aiiiii4.exe	135
PID 4232 wrote to memory of 4796	4232	aiiiii4.exe	135
PID 4232 wrote to memory of 5152	4232	aiiiii4.exe	137
PID 4232 wrote to memory of 5152	4232	aiiiii4.exe	137
PID 4232 wrote to memory of 5208	4232	aiiiii4.exe	139
PID 4232 wrote to memory of 5208	4232	aiiiii4.exe	139
PID 4232 wrote to memory of 5256	4232	aiiiii4.exe	141
PID 4232 wrote to memory of 5256	4232	aiiiii4.exe	141
PID 4232 wrote to memory of 5300	4232	aiiiii4.exe	143
PID 4232 wrote to memory of 5300	4232	aiiiii4.exe	143

C:\Users\Admin\AppData\Local\Temp\aiiiii4.exe
"C:\Users\Admin\AppData\Local\Temp\aiiiii4.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\System32\mountvol.exe
  "C:\Windows\System32\mountvol.exe" C:\ /d >nul
  2⤵
  PID:4956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:4476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:1204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:4820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:3064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:4924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:4072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  - Drops file in System32 directory
  PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:4992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:4380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:4796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:3220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:3228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:3452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:3504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:4112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:3880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:1256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:1472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:1912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:3048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7456
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:7464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:7532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:7656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:7772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7892
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:7900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7976
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8072
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:8092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8132
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:6548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6080
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:5984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:6148
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:8084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8312
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:8340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8392
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:8472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8496
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:8572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8680
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:8732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8920
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:8944
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:8980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:9060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:9104
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:9188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7924
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:8608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7616
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:8592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:8712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8236
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:8672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:6340
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:9252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:9260
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:9372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:9392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:9504
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:9512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:9596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:9652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:9756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:9800
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:9988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:10024
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:10108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:10152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:9284
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:8584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:9616
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:4860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:3180
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:9968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:9380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5436
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3948
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:9556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:10268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:10308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:10444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:10588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:10732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:10752
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:10864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:10912
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:10984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:11012
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:11044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:11152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:11236
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "11236" "2524" "2468" "2528" "0" "0" "2492" "0" "0" "0" "0" "0"
    3⤵
    PID:6784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:5820
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:10584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:3320
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:5380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:10712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:11328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:11428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:11508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:11676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:11768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:11884
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "11884" "2504" "2484" "2508" "0" "0" "2512" "0" "0" "0" "0" "0"
    3⤵
    PID:13596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:11964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:12148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12192
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:12252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:9468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:11756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:11928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:11500
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:10656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:11804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:11288
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12412
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:12524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12592
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:12668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12868
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:12936
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:13056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:13088
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:13228
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:12896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:7296
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:12132
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:12568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12492
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:5532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:1480
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  PID:12172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12788
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:11640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12624
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:12304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:12088
- C:\Windows\System32\mspaint.exe
  "C:\Windows\System32\mspaint.exe"
  2⤵
  PID:12680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:8104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:12776
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:13452
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:13528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:13576
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:13720
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:13916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:13932
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" %temp%
  2⤵
  PID:14012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c setlocal enabledelayedexpansion & cd %windir%\System32 & set tempfile=%temp%\pngfiles.txt & dir /b *.png > %tempfile% & set /a count=0 & for /f "delims=" %i in (%tempfile%) do set /a count+=1 & set /a r=%random% %% count + 1 & for /f "tokens=* skip=%r% delims=" %i in (%tempfile%) do (start "" "%i" & goto :eof) & del %tempfile%
  2⤵
  PID:14052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3692,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:7984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6124

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9472

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:13024

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:13360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:13708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3jrebthb.dab.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c911bcad35b14995f3ad99374682853e

SHA1
0c53043b6caa2282ebf686ddbde3fe3b35466da7

SHA256
d276a65615e2c1c3d7f48b6d3c592f42e6c7d52f2903e50175d8ab6def75d823

SHA512
ac22ccc19516599e627b593b6523e645d9651bebaee7b857e4ff45f219357f9d9deaf9dca2e75b59d6e9fac4d0150a178f6b3b63198b0616c6ec108c082e976e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6dfa3459caf9b6d21884fe428ecd2d6b

SHA1
4dc653892d4ca2a148ba140587a969e4873c9d29

SHA256
0f5a783843a4870104fd55a9a2ff761725f1d71ef8933cb5f59401051a79eb33

SHA512
2f4a37cc3cf28b657d2ca204824c99f6914d21cad11a56f64304d6b3700168f655618f57ab5f30b4efae55ba07aa23e4c947a2f49e38ce6acc320fa06afb77f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
9da8c877c85c28cd88b320b144338224

SHA1
e0a7886d802739cd19d9dadb395091485dfd0c07

SHA256
9d8cbf5aa31fadbfdece6af083a6e62eff9c55a3339b6953f05ef839a3a08246

SHA512
d8952a35c1958663ffe5e7d24f33eaff873edd4eb3d6999d82d981802754187d0c058ceff100d0bd7aced96b77ee0207923da67e4b7e512056a391c3e5e4a588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2878eb279c90df39e02e57170b971d9f

SHA1
3779cc486b7036c49c67c44fd6a42f1c151ee257

SHA256
ff4a02528723ac593f85cb7144ec0e658d69054608fc4f5724b1f3697c4dcfa3

SHA512
b2045660a0e99525772508407d2737d5035362b9cd2f11dd79fbbba7f53c56e7dc1b53faab5bbd287b24d318618cdb6af80b8e901c81338b526de473ec13c7a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
57528a9eac48a1cd4c5edc8950b2296c

SHA1
53613803cdddb99a85eb84733550810afc15f012

SHA256
98c9589bec33349dd3ff364df80727d28a1c68f560d67d5eb24271aa7c968705

SHA512
173acd3c2aaff69d0824d4ec83115712f075e6df10573e98ca54b3b2c9c0193dfe9b3678c106761cb905c7ba377671f9707c0534f7f2767edaa86b79212c4083

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
d965e088c914de55fbaed9234d248da1

SHA1
52d6e5f5c64beb3e013fffcc99464f8cdc9b0230

SHA256
215ff1b051e2ffbe82af192cffe6664e3b326dbc3b5110ef70d59cc6c8331035

SHA512
6367a8c219154851a9b057b092226aaceb525f8723e47f2525ce529ce0cdd78b191fa3a26ba390e756cca71ba09e79eab63cb09bf2ffec3cab2b950f72bc028e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
0f2cedbbcad1182b61ef83a4bb17df92

SHA1
d049e48d6984c7fb0084dd7de8295b71fd758bce

SHA256
883294a732585de890a38084275e0b1967cf5438d6469752a9ef0969f1111fbc

SHA512
afada51c5ccf6fd631cfcd9fec0fc5dc15157632f1f75a5dd6bccb27c33e7e6e69b3362ae6bd3698051d3b407449c63d425ea1927ee8093e5bbc9886fe8ccd81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
dd61826731a933b0a09e3bc36d3a70aa

SHA1
2e159e3078138a7ec01bb5c50dc2e23f85e40d6e

SHA256
e326f69fa125b5be7dcfd18c6cc1993ab372d6e48f0a61c1fece930cd2bce33e

SHA512
7dd7921eca9068e4994d6d32af446551c508cf470a01a55515363bf8d3a96a09addd816da3200ec85578ab6bcbec584aa9f270fe831fd18aff93c2a83b14c950

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
d898a8a2499b73b41ddecaf64a60d9e9

SHA1
434e4bc6a33a1acc13ae8b4cfa21360fbfd03736

SHA256
bc90b2a81e031b174aa831c2fe93039d5af98eba4612d6988e693c66f1cf5e3c

SHA512
aead0b7ee31da5d771e46df2f005fae45753c0cc93e7479dbc183104adc9e982e0102351d7414df20f93bef71e658ffeadf8cab2677cf55003275e09fbfd240f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
672b30521c868fc1eea88e758e019c4f

SHA1
f575600599b48bb014413d71fe03833c7d041cc7

SHA256
0246707666d263d9f67b4955d6725a0396c3b7a37650d9f30078b944d50eda55

SHA512
1c40b2c275b75274b10675625871ead5fb3a387d8a6217160ab8500d0a237653210a6a48d77908fc8e9ba1c841af011831aaab7f20fe576ccf41d54249ef6d06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YR8SA2Q0LU18M0AL4JP0.temp

Filesize
6KB

MD5
669e46469eebf720321ba3d6ff688f25

SHA1
cb492c02fbc0dc9895868664c87cbfa4e126a805

SHA256
9c773ee3998408c7ebd383ebb863ac50ffea18c19abb249df3c893af9b11da22

SHA512
9dd5285f6b197571a6119b1ce62f7588baf3047db77e59138d72fb31bff86c0eb54d7e0a01bd7f0df1c3a3b0412008362965310595505a79257a8349ff08c446

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
a4cabc27c80694c07cba4e096b438ef2

SHA1
8dab98b913d84fafb3c79c1d26228a0a244c275e

SHA256
2067b01c103e2d05009b83af7929c526a4835f8cbd7de638881a621ce22ec237

SHA512
40a66fff101896f05f700828d5c9d380b28d87a8c1c1c81382360176ab9bc8fcf102184e934f3e348f0abddb414334b9a14f781233fbfb5840ec74ac3c26f6de

Download Submit
C:\Windows\System32\%tempfile%

Filesize
78B

MD5
c798a4f6356b72e5ac1b65bbd8bdffe1

SHA1
56f1492cdaeaa979f570c14603c24fc45f1707d0

SHA256
da441219d9a051100bc9d8635b1cba3218275aeac0e78a028ad0dd4f2f6f41e3

SHA512
6812e2a631bd31cc8da5b7232eca00149244dfba5f32259914b7a9bb828d62eecde2c438628c5ac9a17b173cb4edf30701d6f5a5e1706c99ec36040864582fc3

Download Submit
C:\Windows\System32\%tempfile%

Filesize
2KB

MD5
6fc4e1587ad5abcd99a0f774112c6bbf

SHA1
f068f3b832ea685b802fa897ab58e4cd3ba0657f

SHA256
fad6848d111a46e964326507978f0af5ecd64d22df0225695c1e3121e7f1ce4c

SHA512
890d6e9237fcca2d821111a455983d4cc96dfb3a6eece73210a8abd09c8f4490c89be622eee3a3db82f5e66496c931ba1092cde5a2970ffca98b70395cf4552d

Download Submit
memory/4232-0-0x00007FF610860000-0x00007FF610A11000-memory.dmp

Filesize
1.7MB

Download
memory/4232-1-0x00007FF610860000-0x00007FF610A11000-memory.dmp

Filesize
1.7MB

Download
memory/7532-183-0x0000019DEB2D0000-0x0000019DEB314000-memory.dmp

Filesize
272KB

Download
memory/7656-192-0x000001D97F2C0000-0x000001D97F336000-memory.dmp

Filesize
472KB

Download
memory/7656-176-0x000001D97EE10000-0x000001D97EE32000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads