quasar | hxxps://krakenfiles[.]com/view/4blhrXan5g/file[.]html

Analysis

max time kernel
409s
max time network
440s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-02-2025 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://krakenfiles.com/view/4blhrXan5g/file.html

Score

10^/10

quasar office04 defense_evasion discovery persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.168.128:4782

Mutex

dc364256-9033-4521-9896-694366634cc9

Attributes

encryption_key
ABDF5856149009AE87B822306C48E63D69768C92
install_name
Microsoft.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft
subdirectory
Microsoft

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002abe7-107.dat	family_quasar
behavioral1/memory/4076-129-0x0000000000890000-0x0000000000BC4000-memory.dmp	family_quasar

Downloads MZ/PE file 1 IoCs

flow	pid	Process
5	332	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
4076	Windows.exe
3932	Microsoft.exe
4712	Windows.exe
2928	Microsoft.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Microsoft.exe\""	Windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Microsoft.exe\""	Microsoft.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Microsoft.exe\""	Windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Microsoft.exe\""	Microsoft.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	mmc.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	mmc.exe
File opened for modification	C:\Windows\system32\gpedit.msc	mmc.exe
File opened for modification	C:\Windows\System32\GroupPolicy	mmc.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	mmc.exe
File opened for modification	C:\Windows\system32\gpedit.msc	mmc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Windows.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
8476	taskkill.exe
11504	taskkill.exe
7848	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	calc.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 254492.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Windows.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe\:SmartScreen:$DATA	Windows.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe\:SmartScreen:$DATA	Windows.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
4516	NOTEPAD.EXE
8636	NOTEPAD.EXE
3252	NOTEPAD.EXE
9104	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
440	schtasks.exe
4988	schtasks.exe
1124	schtasks.exe
4528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
332	msedge.exe
332	msedge.exe
2152	msedge.exe
2152	msedge.exe
568	msedge.exe
568	msedge.exe
1180	identity_helper.exe
1180	identity_helper.exe
4956	msedge.exe
4956	msedge.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2928	Microsoft.exe
6488	taskmgr.exe
7496	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
7172	mmc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	Windows.exe
Token: SeDebugPrivilege	3932	Microsoft.exe
Token: SeDebugPrivilege	3460	taskmgr.exe
Token: SeSystemProfilePrivilege	3460	taskmgr.exe
Token: SeCreateGlobalPrivilege	3460	taskmgr.exe
Token: 33	3460	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3460	taskmgr.exe
Token: SeDebugPrivilege	4712	Windows.exe
Token: SeDebugPrivilege	2928	Microsoft.exe
Token: SeDebugPrivilege	6488	taskmgr.exe
Token: SeSystemProfilePrivilege	6488	taskmgr.exe
Token: SeCreateGlobalPrivilege	6488	taskmgr.exe
Token: SeDebugPrivilege	11504	taskkill.exe
Token: SeDebugPrivilege	7848	taskkill.exe
Token: 33	7496	mmc.exe
Token: SeIncBasePriorityPrivilege	7496	mmc.exe
Token: 33	7496	mmc.exe
Token: SeIncBasePriorityPrivilege	7496	mmc.exe
Token: 33	7172	mmc.exe
Token: SeIncBasePriorityPrivilege	7172	mmc.exe
Token: 33	7172	mmc.exe
Token: SeIncBasePriorityPrivilege	7172	mmc.exe
Token: 33	6488	taskmgr.exe
Token: SeIncBasePriorityPrivilege	6488	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
3932	Microsoft.exe
2152	msedge.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
3932	Microsoft.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe
3460	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3932	Microsoft.exe
2928	Microsoft.exe
9132	OpenWith.exe
11608	OpenWith.exe
11816	OpenWith.exe
11700	OpenWith.exe
11964	OpenWith.exe
11888	OpenWith.exe
12040	OpenWith.exe
12000	OpenWith.exe
11920	OpenWith.exe
12176	OpenWith.exe
12116	OpenWith.exe
12068	OpenWith.exe
12268	OpenWith.exe
12216	OpenWith.exe
11448	OpenWith.exe
11180	OpenWith.exe
10936	OpenWith.exe
11244	OpenWith.exe
7836	OpenWith.exe
724	OpenWith.exe
8032	OpenWith.exe
8580	OpenWith.exe
4256	OpenWith.exe
1156	OpenWith.exe
8044	OpenWith.exe
11800	OpenWith.exe
2088	OpenWith.exe
9172	OpenWith.exe
11992	OpenWith.exe
3980	OpenWith.exe
5900	OpenWith.exe
6496	OpenWith.exe
12064	OpenWith.exe
1808	OpenWith.exe
6140	OpenWith.exe
2620	OpenWith.exe
8872	OpenWith.exe
7488	OpenWith.exe
6576	OpenWith.exe
9092	OpenWith.exe
8232	OpenWith.exe
12092	OpenWith.exe
5804	OpenWith.exe
224	OpenWith.exe
12200	OpenWith.exe
6544	OpenWith.exe
12216	OpenWith.exe
9196	OpenWith.exe
8056	OpenWith.exe
12272	OpenWith.exe
7500	OpenWith.exe
9184	OpenWith.exe
11448	OpenWith.exe
11544	OpenWith.exe
10724	OpenWith.exe
1608	OpenWith.exe
8464	OpenWith.exe
5204	OpenWith.exe
11216	OpenWith.exe
8032	OpenWith.exe
11996	OpenWith.exe
8788	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 244	2152	msedge.exe	77
PID 2152 wrote to memory of 244	2152	msedge.exe	77
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 2780	2152	msedge.exe	78
PID 2152 wrote to memory of 332	2152	msedge.exe	79
PID 2152 wrote to memory of 332	2152	msedge.exe	79
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80
PID 2152 wrote to memory of 3772	2152	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://krakenfiles.com/view/4blhrXan5g/file.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca7a33cb8,0x7ffca7a33cc8,0x7ffca7a33cd8
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,15133301378066263386,14070043282673745458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Users\Admin\Downloads\Windows.exe
  "C:\Users\Admin\Downloads\Windows.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:440
- - C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3932
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4840

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3208

C:\Users\Admin\Downloads\Windows.exe
"C:\Users\Admin\Downloads\Windows.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4712
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1124
- C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2928
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4528

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\bat.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\bat.bat" "
1⤵
PID:3664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4512
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2336
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3916
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3496
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4600
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:744
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:1456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:484
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3420
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:4332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4188
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4844
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2852
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2432
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2652
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2676
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:4960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4396
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1912
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:3304
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1336
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3760
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3536
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1380
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4916
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1012
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:4668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2424
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2720
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:3068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1412
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2748
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:1488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4384
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4088
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1384
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2392
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:1084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4920
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1532
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:1156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:776
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3620
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1772
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3780
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:3864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4956
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2708
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:1512
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3460
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1944
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:1524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:564
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3208
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:460
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1100
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:3484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3724
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4316
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4460
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3316
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:4644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:788
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4924
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2808
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2012
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2744
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4528
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  PID:2672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2456
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3728
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3060
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3048
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:4256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:896
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1404
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:4876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1040
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:200
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1176
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2100
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:660
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:708
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:620
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:4988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:720
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3800
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2084
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2824
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:1376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3572
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3640
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  PID:4776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4760
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1228
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:4164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:760
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3520
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:228
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:820
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2288
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3364
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3776
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:868
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3452
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:3884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3876
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5080
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:4880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1180
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  PID:2760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2872
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2040
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:4848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4524
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4268
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:2780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2920
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:4608
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:1676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:756
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1440
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:1548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2416
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:1500
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:3312
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1952
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:3088
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:1808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3296
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:2280
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5124
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5132
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5152
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5160
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5176
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5184
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5192
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5216
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5228
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5244
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5252
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5280
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5292
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5308
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5316
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5336
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5344
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5384
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5396
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5412
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5428
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5444
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5452
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5476
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5484
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5504
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:5512
- C:\Windows\system32\calc.exe
  calc.exe
  2⤵
  - Modifies registry class
  PID:5524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:9132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11920

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12040

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12268

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:10936

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11180

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11244

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:9172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11800

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6140

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8872

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:9092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5804

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:9196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:9184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:12216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:10724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8464

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:11996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8788

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:6488

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" cmd.exe
1⤵
- Kills process with taskkill
PID:8476

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im cmd.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11504

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im notepad.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7848

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\bat.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:8636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\bat.bat" "
1⤵
- Modifies registry class
PID:6576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3400
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:8652
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  PID:8872
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:7496

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\bat.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\bat.bat" "
1⤵
- Modifies registry class
PID:12240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:12208
- C:\Windows\system32\notepad.exe
  notepad.exe
  2⤵
  PID:9512
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  PID:2840
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: SetClipboardViewer
  - Suspicious use of AdjustPrivilegeToken
  PID:7172

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\3.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:9104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\3.bat" "
1⤵
PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:4776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:11480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:5820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:8136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:10288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:7896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:12996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:9688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:13988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:6896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K bat.bat
  2⤵
  PID:14860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
9e466b4837d8431be725d6b9c1b4d9ef

SHA1
3f247b7c89985a41d839cad351cd0fc182fcb284

SHA256
2f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d

SHA512
01de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
960B

MD5
16846df493521e84fe47cd6b6451ec8f

SHA1
6d99eb017c5aec08d3a7e908bbd4a051ce250c02

SHA256
69f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9

SHA512
aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mmc.exe.log

Filesize
917B

MD5
585b379dad5b66e74a906b87ef59b0af

SHA1
2bf919dc0d49f39c32f84e820a7e89c2a5d7e2c2

SHA256
64a26ac7569f4fb00d08e9c2ee43f3d26c5a7c8b83a91eae4ffdb68d2831bfd8

SHA512
58a3d09c1d5a395c49aa9b5e282d622331c31d4652b7ca0e45a7bef9b88f082b5543716dadaab5d39cc2499174d14334c7292eeee304340d868f28f0e7ebc6be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
c4bdf2c275c5e0c48fd73ad1734e8a0f

SHA1
f5a955b534a8c367255bc02bf910e68ff0a89f88

SHA256
b44e7d1c95ec2a67713f035b74b59709be9e62f3cc475b9512df3aa80a2eecd8

SHA512
edc7b4ba71c5960e74b93a29782f18cd0d3884e9e959453ebe494a62680864d02bea5e0f5801f7801c5cea4a58c4013745a60ec45a995568a2c4d175ad461702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8cd4d6521b632cc766abd89dce563ad8

SHA1
3254af2f769da1723d2e02632be826c9dc45693c

SHA256
ec72c9aca210be9ce50b1d60ccb57529853e49d8d362ee4ffda32beffb144aea

SHA512
764bae48a33432f870d302c17b33aed6406af5394c20fd7e4f86712b996fce78d1a2799895a411aef027114570641ec8eb2c87bbe8d0566d417a9667cd218efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb5b3302b58ad2ec733b4c506d4b1025

SHA1
a64faea1c990348b835244d1b8e2abe3d0f98661

SHA256
00552dec5bdec1fd7ae103335226a40dafdcb85d980acf81feefda7b1013e942

SHA512
cb412f1ab8c28334878db38cb22d921360bba8be4e99630b3f82085a6a41bcb8c525bdafc2eaeff62e6889539153ccb88560eadffa1ea5d6fc6b2ff183498d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99c231ef70a28506af88bc794ec02340

SHA1
307d31eef1120ed282ba213b45fa77cdfe142705

SHA256
c9339370066f7c1eb27a183a236e41afc1326cb341a1d0c21640d11a7d28cea1

SHA512
3ae55a3dd4bb7f5fdacd1fa3b100ae98cd77ce5d548f942fab6edf0843155acd9fc5289b2c0c760c01da975e8feb5dc3269e655758972281906e24a46a96d340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a11ce1863c15ab8d03b493125d841a0

SHA1
c22e9f05494b3527502ca8695592e13efd90bfed

SHA256
9e3bcca2a62aa99f85e7b676d1a760e1dd95ba918026dd70d778b3a50a3453a4

SHA512
84d6d4f95fbeb95b77e37122b9edc4dcae9bdba14be9065b2692d1a527ef9a160919fdf078980fb3d682184179a65d024f1caaa71580dafe34f3fc4a5f051ee2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cb25614bdfcda8f0642dafd6c7fd0820

SHA1
503c5f855bf19378965f699e4afcc3a396e4b032

SHA256
401b6eb693a240a1fd50fdd6b78b0dd698e3de8f6c4ec4dd286138fe6ba64d24

SHA512
4f9b3e62251bac41c591baaa5ece2d8eea169b9ac2568c8441b080f1dab08b390152cec65bf9b24a3589f4073a394ba4bd689db4381abc67ce25521d30580ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0bff746d299f58ed75dbc174c8e25cbc

SHA1
294345947fd0bdabeac81a3a48961c8897fd2bd5

SHA256
f780faf041f7ba7219b2f97cb66643a9cff3deb53b1351e2bc48c749f3f7f0c6

SHA512
a2f54de1d02fdb5da411491e6518750d1596279df6e0529e99e6e24349e78d039db24075c779ef00c4ad25d80baad20fde9ef0669d928bcee23c9f63d3f1c8a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
47ac89ae88553fbcc2a815bb53821a92

SHA1
37409dfd6b1235bc0abf805a4bf67718960fd8ce

SHA256
bf9ec4cf74fd2956a9cdc181a956261d196cc83b195d5d5bf96fb162e998ac44

SHA512
c423970f72a76dd0f09bc383835b3b624eddf2c10e5ada41a07a334f0d9501363f0399fe05bbc85531053937633342a23d2891f20163f3b03dfb9d19ae75b5b7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f65ac8c2-0a6e-4c83-990b-59af4caab484.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Desktop\3.bat

Filesize
25B

MD5
11a1c2414175bdcda91f35d7794d1d22

SHA1
674fae56a30be8ac6ccbc66e0ed0b68371cf38b9

SHA256
d04325d09dd9402a11c6b4d0d4cb8628650adbcc3f761616bc0f26ae17f6f3d9

SHA512
b1f63a0add40ffd7f3a5b66636797a7e9163a59c27396712d528afef1328d2cd820dc8528919c3e53abfebd8b278207c72cce86950776f1037750cc3e4495860

Download Submit
C:\Users\Admin\Desktop\bat.bat

Filesize
60B

MD5
f578423151a2a6805fb658aa3aeca53b

SHA1
4190eba0835e63554ad3ff3d576478fd23c90c57

SHA256
4a249b71f3281fee362a9a420741381971ca089f01217d717956cbf25bafed73

SHA512
dfd78596c91720a232a559edde6d273be236f6d6d323f4bf0f414bdc65e5dbef95a78427993bbc38ca263f4b56bbae1351638276b3bdf7e85954f22b9dba1e66

Download Submit
C:\Users\Admin\Desktop\bat.bat

Filesize
76B

MD5
5ac113cb6e76caee66f2314835ca8ecd

SHA1
8b66318cc6663e0f8137fa5d35c24d38f7824d85

SHA256
fb85bda00a0ebd4ee0e4eb5e00f2e2ed69e17cce61a938da430d5a0c06e56ae8

SHA512
f54daaa5bc05ced628e89430c2412277d1bccbaaa19238700f185d27397447c3f98b19e4f9fc3c892db3d9b6f45622a2ea8e1ceee7fe3a67eb170c9b121d008e

Download Submit
C:\Users\Admin\Desktop\bat.bat

Filesize
65B

MD5
c1d3269455485a1fb02dadd27509cc09

SHA1
c94ec444fe15ea43f13569d3897d1e14edcb6e0d

SHA256
2776c5e97077516fad1543f1b9adb1d49af717971e66548ddf0fbc5eaba6cea0

SHA512
0047fd81849336fe517270e96ce916dc9ec75cabe3726e69f4b13ce82989a5139acd1b0c91bcd923b6ea66326a528ff7c2b56fd043db1042a9242f23df3f2f5d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 254492.crdownload

Filesize
3.2MB

MD5
249dfb8ed77b254bcd21ab515038a3db

SHA1
df5ba24de6691c207b07cd03dfcdf10c45735ff2

SHA256
c80cda929f5d72e700289a23612f1d1013369051cefdf1e62087bdb51266b618

SHA512
d783431f328a55c9c91943eaa0db3d76bbb955ee096ebcd704ec8465208207c32a9ca42dd82ff9793679c8da42863d71cc2328c2c3d1232199b55744797fdf57

Download Submit
C:\Users\Admin\Downloads\Windows.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
11B

MD5
ec3584f3db838942ec3669db02dc908e

SHA1
8dceb96874d5c6425ebb81bfee587244c89416da

SHA256
77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340

SHA512
35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

Download Submit
memory/2928-295-0x000000001CF70000-0x000000001D498000-memory.dmp

Filesize
5.2MB

Download
memory/3460-281-0x000002905CE10000-0x000002905CE11000-memory.dmp

Filesize
4KB

Download
memory/3460-274-0x000002905CE10000-0x000002905CE11000-memory.dmp

Filesize
4KB

Download
memory/3460-280-0x000002905CE10000-0x000002905CE11000-memory.dmp

Filesize
4KB

Download
memory/3460-283-0x000002905CE10000-0x000002905CE11000-memory.dmp

Filesize
4KB

Download
memory/3460-284-0x000002905CE10000-0x000002905CE11000-memory.dmp

Filesize
4KB

Download
memory/3460-282-0x000002905CE10000-0x000002905CE11000-memory.dmp

Filesize
4KB

Download
memory/3460-279-0x000002905CE10000-0x000002905CE11000-memory.dmp

Filesize
4KB

Download
memory/3460-275-0x000002905CE10000-0x000002905CE11000-memory.dmp

Filesize
4KB

Download
memory/3460-285-0x000002905CE10000-0x000002905CE11000-memory.dmp

Filesize
4KB

Download
memory/3460-273-0x000002905CE10000-0x000002905CE11000-memory.dmp

Filesize
4KB

Download
memory/3932-155-0x000000001BAD0000-0x000000001BB20000-memory.dmp

Filesize
320KB

Download
memory/3932-156-0x000000001C460000-0x000000001C512000-memory.dmp

Filesize
712KB

Download
memory/4076-129-0x0000000000890000-0x0000000000BC4000-memory.dmp

Filesize
3.2MB

Download
memory/6488-315-0x000002199F860000-0x000002199F861000-memory.dmp

Filesize
4KB

Download
memory/6488-312-0x000002199F860000-0x000002199F861000-memory.dmp

Filesize
4KB

Download
memory/6488-311-0x000002199F860000-0x000002199F861000-memory.dmp

Filesize
4KB

Download
memory/6488-310-0x000002199F860000-0x000002199F861000-memory.dmp

Filesize
4KB

Download
memory/6488-313-0x000002199F860000-0x000002199F861000-memory.dmp

Filesize
4KB

Download
memory/6488-314-0x000002199F860000-0x000002199F861000-memory.dmp

Filesize
4KB

Download
memory/6488-303-0x000002199F860000-0x000002199F861000-memory.dmp

Filesize
4KB

Download
memory/6488-304-0x000002199F860000-0x000002199F861000-memory.dmp

Filesize
4KB

Download
memory/6488-305-0x000002199F860000-0x000002199F861000-memory.dmp

Filesize
4KB

Download