d19d78137a0b253b3747093745d14efe55e55e2a90d4dc746bed58396ccb706e

Resubmissions

19-08-2024 00:01

240819-aa131awarj 1

18-08-2024 23:59

240818-312fnswamn 1

Analysis

max time kernel
142s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

haha.bat
Size

32B
MD5

4fa20417df4e4fadad2002dff38672ef
SHA1

af1eec2e3164235d3dea758224f06ec818a95b28
SHA256

d19d78137a0b253b3747093745d14efe55e55e2a90d4dc746bed58396ccb706e
SHA512

bd1f834811edc0bb3d0d294562aa014312673ab0c1eeded3a08110331d9447914fc4fc345d45998b3432a57bb0d247e6bab93a19a03b58d9c6901b4b869a8497

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2468	2432	cmd.exe	30
PID 2432 wrote to memory of 2468	2432	cmd.exe	30
PID 2432 wrote to memory of 2468	2432	cmd.exe	30
PID 2432 wrote to memory of 2772	2432	cmd.exe	31
PID 2432 wrote to memory of 2772	2432	cmd.exe	31
PID 2432 wrote to memory of 2772	2432	cmd.exe	31
PID 2432 wrote to memory of 2840	2432	cmd.exe	32
PID 2432 wrote to memory of 2840	2432	cmd.exe	32
PID 2432 wrote to memory of 2840	2432	cmd.exe	32
PID 2772 wrote to memory of 2892	2772	cmd.exe	34
PID 2772 wrote to memory of 2892	2772	cmd.exe	34
PID 2772 wrote to memory of 2892	2772	cmd.exe	34
PID 2432 wrote to memory of 2836	2432	cmd.exe	35
PID 2432 wrote to memory of 2836	2432	cmd.exe	35
PID 2432 wrote to memory of 2836	2432	cmd.exe	35
PID 2432 wrote to memory of 2748	2432	cmd.exe	37
PID 2432 wrote to memory of 2748	2432	cmd.exe	37
PID 2432 wrote to memory of 2748	2432	cmd.exe	37
PID 2836 wrote to memory of 3008	2836	cmd.exe	38
PID 2836 wrote to memory of 3008	2836	cmd.exe	38
PID 2836 wrote to memory of 3008	2836	cmd.exe	38
PID 2772 wrote to memory of 2652	2772	cmd.exe	39
PID 2772 wrote to memory of 2652	2772	cmd.exe	39
PID 2772 wrote to memory of 2652	2772	cmd.exe	39
PID 2772 wrote to memory of 588	2772	cmd.exe	40
PID 2772 wrote to memory of 588	2772	cmd.exe	40
PID 2772 wrote to memory of 588	2772	cmd.exe	40
PID 2652 wrote to memory of 2760	2652	cmd.exe	42
PID 2652 wrote to memory of 2760	2652	cmd.exe	42
PID 2652 wrote to memory of 2760	2652	cmd.exe	42
PID 2432 wrote to memory of 2680	2432	cmd.exe	43
PID 2432 wrote to memory of 2680	2432	cmd.exe	43
PID 2432 wrote to memory of 2680	2432	cmd.exe	43
PID 2432 wrote to memory of 2960	2432	cmd.exe	44
PID 2432 wrote to memory of 2960	2432	cmd.exe	44
PID 2432 wrote to memory of 2960	2432	cmd.exe	44
PID 2680 wrote to memory of 2668	2680	cmd.exe	46
PID 2680 wrote to memory of 2668	2680	cmd.exe	46
PID 2680 wrote to memory of 2668	2680	cmd.exe	46
PID 2772 wrote to memory of 2780	2772	cmd.exe	47
PID 2772 wrote to memory of 2780	2772	cmd.exe	47
PID 2772 wrote to memory of 2780	2772	cmd.exe	47
PID 2772 wrote to memory of 2692	2772	cmd.exe	48
PID 2772 wrote to memory of 2692	2772	cmd.exe	48
PID 2772 wrote to memory of 2692	2772	cmd.exe	48
PID 2780 wrote to memory of 2816	2780	cmd.exe	50
PID 2780 wrote to memory of 2816	2780	cmd.exe	50
PID 2780 wrote to memory of 2816	2780	cmd.exe	50
PID 2652 wrote to memory of 2656	2652	cmd.exe	51
PID 2652 wrote to memory of 2656	2652	cmd.exe	51
PID 2652 wrote to memory of 2656	2652	cmd.exe	51
PID 2652 wrote to memory of 2688	2652	cmd.exe	53
PID 2652 wrote to memory of 2688	2652	cmd.exe	53
PID 2652 wrote to memory of 2688	2652	cmd.exe	53
PID 2656 wrote to memory of 1632	2656	cmd.exe	54
PID 2656 wrote to memory of 1632	2656	cmd.exe	54
PID 2656 wrote to memory of 1632	2656	cmd.exe	54
PID 2836 wrote to memory of 2812	2836	cmd.exe	55
PID 2836 wrote to memory of 2812	2836	cmd.exe	55
PID 2836 wrote to memory of 2812	2836	cmd.exe	55
PID 2836 wrote to memory of 876	2836	cmd.exe	56
PID 2836 wrote to memory of 876	2836	cmd.exe	56
PID 2836 wrote to memory of 876	2836	cmd.exe	56
PID 2812 wrote to memory of 2272	2812	cmd.exe	58

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\haha.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:1632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:2128
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:1216
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:888
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        7⤵
        
        PID:3232
        
        C:\Windows\system32\tree.com
        
        tree
        8⤵
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        8⤵
        
        PID:5468
        
        C:\Windows\system32\tree.com
        
        tree
        8⤵
        
        PID:5508
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:3256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        7⤵
        
        PID:3460
        
        C:\Windows\system32\tree.com
        
        tree
        8⤵
        
        PID:6580
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:4124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        7⤵
        
        PID:2668
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        7⤵
        
        PID:6200
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:6252
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:2576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:316
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        7⤵
        
        PID:6564
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:6632
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:2088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:3948
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:5564
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:1580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:4088
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4920
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:4168
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4936
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:1580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:640
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:1888
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:3896
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:3656
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:2016
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4308
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:7120
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:2160
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2568
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:2148
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3036
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:2724
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:6072
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:3628
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:980
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:6452
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:6472
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2024
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3576
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4364
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:4392
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:6796
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5644
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5696
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:7068
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:7100
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1160
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:1500
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:2056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:2912
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        7⤵
        
        PID:4832
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:4864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        7⤵
        
        PID:6052
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:6088
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:2524
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:580
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:6040
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3664
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:3860
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:6368
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:6444
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:2692
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:2668
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:3920
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:3952
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:4700
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4720
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:6064
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:6112
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3848
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4908
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:3488
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:4592
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5280
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5872
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5912
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:2280
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:1676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:1624
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:2748
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:3536
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        7⤵
        
        PID:5148
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:5136
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3552
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:4204
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:6740
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:5172
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5204
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:6532
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:6596
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:1084
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3416
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:7024
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:7060
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:1804
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:2348
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4668
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:1664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3136
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4128
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:6208
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6276
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1628
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3248
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:2640
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3272
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:4156
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:6496
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4180
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5180
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5212
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:6488
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6512
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1080
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3384
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:976
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5608
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3592
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:5992
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4952
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3032
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2176
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:768
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:1976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:3084
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:4036
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3124
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:3060
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:6024
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3132
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:2140
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5144
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:6260
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:6352
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:1232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:2944
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:2284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:4068
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:5424
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:4992
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5008
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:5200
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4188
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3772
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5032
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3796
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:4432
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5048
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5584
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:7136
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3680
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1828
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:2768
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:1636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:4968
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4332
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:864
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5980
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3368
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5116
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4264
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1508
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:1468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5096
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:4868
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4960
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3196
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5772
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4884
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3508
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:5456
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:2096
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1284
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:1708
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:5968
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5996
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:2588
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5960
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2252
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:4900
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:4928
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5236
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1692
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:340
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5660
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:7076
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:7108
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1592
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6120
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4940
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:5412
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:5420
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:2212
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3356
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2400
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4808
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:6344
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6436
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:960
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3464
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4252
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4288
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6728
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:5476
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:5520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:6876
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6912
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:3100
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4024
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:2088
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6152
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:4980
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:1636
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:4004
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:2592
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:2108
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:580
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:3636
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:4556
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:4440
        
        C:\Windows\system32\tree.com
        
        tree
        7⤵
        
        PID:7000
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4512
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:5792
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5840
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3092
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:3904
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3132
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:2820
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5852
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:1664
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5136
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:6336
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6392
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:880
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3112
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:5712
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:524
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5380
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5448
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3280
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2528
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1436
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6688
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:2360
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:6228
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6292
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:1016
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:2344
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:1868
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3528
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:6820
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:6860
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3568
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:4280
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:6680
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5340
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5356
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:6756
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6764
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3184
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:1504
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4148
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6428
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:5460
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:5492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:6928
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6952
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:1864
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3644
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4632
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4448
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:7016
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:5576
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:5636
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:3048
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2220
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:3500
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6140
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:5088
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:5488
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:4512
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:2972
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1068
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2236
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3608
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4676
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3624
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5024
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:6540
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6604
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3008
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:1328
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:2824
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6096
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3484
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4784
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:5816
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:2248
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:2064
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5364
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:6804
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6852
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4044
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5332
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4792
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1848
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3292
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:2604
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3936
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4820
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4748
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:5932
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:5952
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:3440
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3220
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2580
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:1360
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6320
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:5388
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:5440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:6868
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:6896
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  PID:1824
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:2480
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:2336
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2640
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:3720
      - C:\Windows\system32\tree.com
        
        tree
        6⤵
        
        PID:4728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        6⤵
        
        PID:6288
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:4604
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:5864
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:5904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:6148
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3340
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3064
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:4244
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6648
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:5804
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:5856
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:2876
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3988
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:3316
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:5104
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:6300
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6400
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:3432
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4196
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:3124
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6220
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:5260
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:5280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:6524
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:6556
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  PID:2952
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:1384
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1676
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:2068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K haha.bat
        5⤵
        
        PID:6772
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:6828
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:1772
    - - C:\Windows\system32\tree.com
        
        tree
        5⤵
        
        PID:4328
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:2668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:3816
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:6084
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3288
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:1552
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:3980
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:536
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:5800
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:4064
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:6168
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:6192
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  PID:1884
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:1640
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:5188
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:5228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K haha.bat
      4⤵
      PID:6268
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6360
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:1868
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4184
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:4892
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:5316
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:4116
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  PID:2168
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:1020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:3788
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:4800
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:4416
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:6316
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K haha.bat
    3⤵
    PID:5784
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:5832
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  PID:3728
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:4736
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  PID:4424
- - C:\Windows\system32\tree.com
    tree
    3⤵
    PID:6968
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  PID:5568
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:5620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K haha.bat
  2⤵
  PID:7128
- C:\Windows\system32\tree.com
  tree
  2⤵
  PID:7164

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads