badrabbit | hxxp://h

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation	AdwereCleaner.exe

Executes dropped EXE 16 IoCs

pid	Process
5112	Krotten.exe
3052	Krotten.exe
4604	AdwereCleaner.exe
5052	6AdwCleaner.exe
5888	6AdwCleaner.exe
4416	Krotten.exe
2216	Alerta.exe
5048	BadRabbit.exe
5580	BadRabbit.exe
6112	78DF.tmp
2620	BadRabbit.exe
212	BadRabbit.exe
5520	BadRabbit.exe
5016	BadRabbit.exe
3512	BadRabbit.exe
5688	Bezilom.exe

Loads dropped DLL 7 IoCs

pid	Process
5288	rundll32.exe
1488	rundll32.exe
1572	rundll32.exe
4268	rundll32.exe
4460	rundll32.exe
3780	rundll32.exe
1888	rundll32.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto"	6AdwCleaner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartUp = "C:\\Windows\\Maria.doc .exe"	Bezilom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
257	raw.githubusercontent.com
258	raw.githubusercontent.com
256	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_240686129\deny_full_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_240686129\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_496860085\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_1370010437\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_496860085\kp_pinslist.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_15106883\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_240686129\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_1370010437\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_496860085\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_15106883\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_15106883\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_240686129\deny_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_1370010437\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_496860085\ct_config.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_496860085\crs.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_15106883\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_15106883\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4140_240686129\deny_etld1_domains.list	msedge.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\WINDOWS\Web	Krotten.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File opened for modification	C:\Windows\78DF.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\Maria.doc .exe	Bezilom.exe
File opened for modification	C:\WINDOWS\Web	Krotten.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\Maria.doc .exe	Bezilom.exe
File opened for modification	C:\WINDOWS\Web	Krotten.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdwereCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alerta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bezilom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krotten.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krotten.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krotten.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x004000000002381b-1689.dat	nsis_installer_1
behavioral1/files/0x004000000002381b-1689.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Control Panel 18 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133891775595116311"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2362875047-775336530-2205312478-1000\{930C0536-3278-4925-9E6B-E37D08254D92}	msedge.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	Krotten.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA	6AdwCleaner.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA\Blob = 0300000001000000140000008ad5c9987e6f190bd6f5416e2de44ccd641d8cda140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8040000000100000010000000ff5fbc4290fa389e798467ebd7ae940b0f0000000100000014000000c45627b5584bf62327df60d6185744a2d2f2bcbf190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28195c00000001000000040000000008000018000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c4b0000000100000044000000350034003500370041003800430045003400420032004100370034003900390046003800320039003900410030003100330042003600450031004300370043005f000000200000000100000088040000308204843082036ca0030201020210421af2940984191f520a4bc62426a74b300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3035303630373038303931305a170d3230303533303130343833385a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d8300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d010105050003820101004d422fa6c18aeb07809058468cf81939662a3c5a2c6dcfd4d987558d790b12887b408fd5c7f84b8d551663adb757dc3b2bbdd3c14f1e03874b449be3e2404526f326492b6a84f1547ad442dafcd36abb667eca9eeae9bbdc07c7c3924e833c81499f92d53209ea492ea111719a36d2c54e68b6cb0e1b2516af6cde5d76d81f72b193268617db18deaf45e9dffb98af1418eda45ef6899445f055044addff27dd064a40f6b4bcf1e40f9902bbfd5d0e2e28c1be3b5f1a3f971084bc163ed8a39c631d66cb5c5fda3ef30f0a093522dbdbc03f00f9e60d5d67d1fda01e032bd940f7becc87665480a6a3b8f51962d5d226b19826ee9acb44a7455a8195151af551	6AdwCleaner.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3680	schtasks.exe
5648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3780	msedge.exe
3780	msedge.exe
5288	rundll32.exe
5288	rundll32.exe
5288	rundll32.exe
5288	rundll32.exe
1488	rundll32.exe
1488	rundll32.exe
6112	78DF.tmp
6112	78DF.tmp
6112	78DF.tmp
6112	78DF.tmp
6112	78DF.tmp
6112	78DF.tmp
6112	78DF.tmp
1572	rundll32.exe
1572	rundll32.exe
4268	rundll32.exe
4268	rundll32.exe
4460	rundll32.exe
4460	rundll32.exe
3780	rundll32.exe
3780	rundll32.exe
1888	rundll32.exe
1888	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	5112	Krotten.exe
Token: SeSystemtimePrivilege	5112	Krotten.exe
Token: SeSystemtimePrivilege	5112	Krotten.exe
Token: SeSystemtimePrivilege	3052	Krotten.exe
Token: SeSystemtimePrivilege	3052	Krotten.exe
Token: SeSystemtimePrivilege	3052	Krotten.exe
Token: SeDebugPrivilege	5052	6AdwCleaner.exe
Token: SeDebugPrivilege	5888	6AdwCleaner.exe
Token: SeSystemtimePrivilege	4416	Krotten.exe
Token: SeSystemtimePrivilege	4416	Krotten.exe
Token: SeSystemtimePrivilege	4416	Krotten.exe
Token: SeShutdownPrivilege	5288	rundll32.exe
Token: SeDebugPrivilege	5288	rundll32.exe
Token: SeTcbPrivilege	5288	rundll32.exe
Token: SeShutdownPrivilege	1488	rundll32.exe
Token: SeDebugPrivilege	1488	rundll32.exe
Token: SeTcbPrivilege	1488	rundll32.exe
Token: SeDebugPrivilege	6112	78DF.tmp
Token: SeShutdownPrivilege	1572	rundll32.exe
Token: SeDebugPrivilege	1572	rundll32.exe
Token: SeTcbPrivilege	1572	rundll32.exe
Token: SeShutdownPrivilege	4268	rundll32.exe
Token: SeDebugPrivilege	4268	rundll32.exe
Token: SeTcbPrivilege	4268	rundll32.exe
Token: SeShutdownPrivilege	4460	rundll32.exe
Token: SeDebugPrivilege	4460	rundll32.exe
Token: SeTcbPrivilege	4460	rundll32.exe
Token: SeShutdownPrivilege	3780	rundll32.exe
Token: SeDebugPrivilege	3780	rundll32.exe
Token: SeTcbPrivilege	3780	rundll32.exe
Token: SeShutdownPrivilege	1888	rundll32.exe
Token: SeDebugPrivilege	1888	rundll32.exe
Token: SeTcbPrivilege	1888	rundll32.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
5052	6AdwCleaner.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5052	6AdwCleaner.exe
5052	6AdwCleaner.exe
5888	6AdwCleaner.exe
5888	6AdwCleaner.exe
5688	Bezilom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 2980	4140	msedge.exe	85
PID 4140 wrote to memory of 2980	4140	msedge.exe	85
PID 4140 wrote to memory of 5644	4140	msedge.exe	88
PID 4140 wrote to memory of 5644	4140	msedge.exe	88
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 392	4140	msedge.exe	89
PID 4140 wrote to memory of 3600	4140	msedge.exe	90
PID 4140 wrote to memory of 3600	4140	msedge.exe	90
PID 4140 wrote to memory of 3600	4140	msedge.exe	90
PID 4140 wrote to memory of 3600	4140	msedge.exe	90
PID 4140 wrote to memory of 3600	4140	msedge.exe	90
PID 4140 wrote to memory of 3600	4140	msedge.exe	90
PID 4140 wrote to memory of 3600	4140	msedge.exe	90
PID 4140 wrote to memory of 3600	4140	msedge.exe	90
PID 4140 wrote to memory of 3600	4140	msedge.exe	90

System policy modification 1 TTPs 64 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Krotten.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://h
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x360,0x7ffd2dd1f208,0x7ffd2dd1f214,0x7ffd2dd1f220
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1820,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2104,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2544,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3424,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3432,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4944,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3720,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=5236,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5676,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5888,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5416,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6296,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6456,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6456,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6436,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6824,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7096,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7128 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7140,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7064 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7144,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6756,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7024,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6896,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7148,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7188 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7400,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7376 /prefetch:8
  2⤵
  PID:5552
- C:\Users\Admin\Downloads\Krotten.exe
  "C:\Users\Admin\Downloads\Krotten.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:5112
- C:\Users\Admin\Downloads\Krotten.exe
  "C:\Users\Admin\Downloads\Krotten.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3692,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=7840,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7500 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7508,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7228 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7868,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7864 /prefetch:8
  2⤵
  PID:4260
- C:\Users\Admin\Downloads\AdwereCleaner.exe
  "C:\Users\Admin\Downloads\AdwereCleaner.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4604
- - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
    "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7952,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7948 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5036,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:3712
- C:\Users\Admin\Downloads\Krotten.exe
  "C:\Users\Admin\Downloads\Krotten.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5720,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=6956,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7908 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7532,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:5752
- C:\Users\Admin\Downloads\Alerta.exe
  "C:\Users\Admin\Downloads\Alerta.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=8024,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7152,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5552,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7040 /prefetch:8
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6764,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:5492
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5048
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5288
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:5072
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3993545184 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3993545184 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3680
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 08:19:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:812
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 08:19:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5648
  - - C:\Windows\78DF.tmp
      "C:\Windows\78DF.tmp" \\.\pipe\{DBD194E3-02F2-485A-B608-DCB532F4CA91}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6112
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5580
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2620
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:212
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4268
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5520
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5016
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3512
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7440,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=6120,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3180,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1972,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=7052 /prefetch:8
  2⤵
  PID:372
- C:\Users\Admin\Downloads\Bezilom.exe
  "C:\Users\Admin\Downloads\Bezilom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7408,i,13471726512398091606,14102157746018093565,262144 --variations-seed-version --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\Web\rundll32.exe
1⤵
PID:332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\Cursors\avp.exe
1⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\Web\rundll32.exe
1⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\Cursors\avp.exe
1⤵
PID:5936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\6AdwCleaner.exe" -auto
1⤵
PID:4732
- C:\Users\Admin\AppData\Local\6AdwCleaner.exe
  C:\Users\Admin\AppData\Local\6AdwCleaner.exe -auto
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5888

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\df9be7e0d3d34fb1a5c41dbee841c57a /t 5048 /p 5888
1⤵
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\Web\rundll32.exe
1⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\WINDOWS\Cursors\avp.exe
1⤵
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:7072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Maria.doc .exe
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery