File name:

F0EB0_P4rr0tCr4sh3r.bat

Full analysis: https://app.any.run/tasks/f7bd4ff6-b63c-4b4b-9605-5dba756788e4
Verdict: Malicious activity
Analysis date: February 17, 2025, 22:34:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
MD5:

2E5DBFF716D281FD7A15F39B4F30F819

SHA1:

A7437F71B2C11D83147850052F5785CC938400F2

SHA256:

E015AD4A3D72193DE437CA7A296E58BC6B317A858AE0B7628DA8EE4C8F389F09

SSDEEP:

12:wbYVJbOfOOOByTWtUdOoPTViypiOCaKU0F5tRWyOWk/Ws9WW7B6/Wf4od9sEXUuB:wqSOByTWWbGHnNKPL9WC8EIEXUuB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6600)

    • Reads security settings of Internet Explorer

      • wordpad.exe (PID: 5720)
      • StartMenuExperienceHost.exe (PID: 6560)
      • wordpad.exe (PID: 1596)
      • wordpad.exe (PID: 1820)
      • wordpad.exe (PID: 5864)
      • wordpad.exe (PID: 364)

    • Application launched itself

      • cmd.exe (PID: 6600)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6600)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 6560)
      • SearchApp.exe (PID: 4588)

    • Sets XML DOM element text (SCRIPT)

      • wordpad.exe (PID: 5720)
      • wordpad.exe (PID: 1596)
      • wordpad.exe (PID: 1820)
      • wordpad.exe (PID: 364)
      • wordpad.exe (PID: 5864)

  • INFO

    • Reads security settings of Internet Explorer

      • write.exe (PID: 6188)
      • calc.exe (PID: 7140)
      • OpenWith.exe (PID: 6404)
      • write.exe (PID: 5244)
      • explorer.exe (PID: 2356)
      • OpenWith.exe (PID: 6720)
      • explorer.exe (PID: 2076)
      • calc.exe (PID: 5600)
      • OpenWith.exe (PID: 5240)
      • OpenWith.exe (PID: 5216)
      • calc.exe (PID: 936)
      • write.exe (PID: 5348)
      • write.exe (PID: 2736)
      • calc.exe (PID: 4076)
      • OpenWith.exe (PID: 4708)
      • calc.exe (PID: 3176)
      • write.exe (PID: 5084)

    • Reads Environment values

      • wordpad.exe (PID: 5720)
      • SearchApp.exe (PID: 4588)
      • wordpad.exe (PID: 1596)
      • wordpad.exe (PID: 1820)
      • wordpad.exe (PID: 5864)
      • wordpad.exe (PID: 364)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 6560)
      • SearchApp.exe (PID: 4588)

    • Reads the computer name

      • SearchApp.exe (PID: 4588)
      • wordpad.exe (PID: 5720)
      • StartMenuExperienceHost.exe (PID: 6560)
      • wordpad.exe (PID: 1596)
      • wordpad.exe (PID: 364)
      • wordpad.exe (PID: 5864)
      • wordpad.exe (PID: 1820)

    • Checks supported languages

      • SearchApp.exe (PID: 4588)
      • StartMenuExperienceHost.exe (PID: 6560)
      • wordpad.exe (PID: 1596)
      • wordpad.exe (PID: 1820)
      • wordpad.exe (PID: 5720)
      • wordpad.exe (PID: 364)
      • wordpad.exe (PID: 5864)

    • Reads the machine GUID from the registry

      • SearchApp.exe (PID: 4588)

    • Checks proxy server information

      • SearchApp.exe (PID: 4588)
      • explorer.exe (PID: 2076)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 2076)

    • Reads the software policy settings

      • SearchApp.exe (PID: 4588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
205
Monitored processes
88
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs mspaint.exe no specs notepad.exe no specs calc.exe no specs control.exe no specs write.exe no specs explorer.exe no specs taskkill.exe no specs wordpad.exe no specs openwith.exe no specs rundll32.exe no specs explorer.exe no specs explorer.exe no specs taskkill.exe no specs COpenControlPanel no specs taskkill.exe no specs startmenuexperiencehost.exe no specs searchapp.exe taskkill.exe no specs mobsync.exe no specs taskkill.exe no specs cmd.exe no specs mspaint.exe no specs conhost.exe no specs notepad.exe no specs calc.exe no specs control.exe no specs write.exe no specs explorer.exe no specs taskkill.exe no specs wordpad.exe no specs openwith.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs mspaint.exe no specs conhost.exe no specs notepad.exe no specs calc.exe no specs control.exe no specs write.exe no specs explorer.exe no specs wordpad.exe no specs openwith.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs mspaint.exe no specs conhost.exe no specs notepad.exe no specs calc.exe no specs control.exe no specs write.exe no specs explorer.exe no specs taskkill.exe no specs wordpad.exe no specs openwith.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs mspaint.exe no specs conhost.exe no specs notepad.exe no specs calc.exe no specs control.exe no specs write.exe no specs explorer.exe no specs taskkill.exe no specs wordpad.exe no specs openwith.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
364"C:\Program Files\Windows NT\Accessories\wordpad.exe" C:\Program Files\Windows NT\Accessories\wordpad.exewrite.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Wordpad Application
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows nt\accessories\wordpad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
396explorer C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
908mspaint C:\Windows\System32\mspaint.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
936calc C:\Windows\System32\calc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\calc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1328taskkill /f /im conhost.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
3221225794
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1448control C:\Windows\System32\control.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\control.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1576mspaint C:\Windows\System32\mspaint.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1580explorer C:\Windows\explorer.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
1596"C:\Program Files\Windows NT\Accessories\wordpad.exe" C:\Program Files\Windows NT\Accessories\wordpad.exewrite.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Wordpad Application
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows nt\accessories\wordpad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1808taskkill /f /im dllhost.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
3221225794
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
Total events
67 425
Read events
67 046
Write events
337
Delete events
42

Modification events

(PID) Process:(7164) control.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309DF1040000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(6404) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6404) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6404) OpenWith.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5208) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(5208) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
00000000040000000E00000003000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(5208) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Operation:writeName:Locked
Value:
1
(PID) Process:(2076) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisible
Value:
0
(PID) Process:(2076) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisibleOnAnyMonitor
Value:
0
(PID) Process:(2076) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisible
Value:
1
Executable files
4
Suspicious files
35
Text files
298
Unknown types
0

Dropped files

PID
Process
Filename
Type
6600cmd.exeC:\Users\admin\Desktop\约尔1.exetext
MD5:4647B911ED41412EAC7B52057E66F6B0
SHA256:EBF81FB7A1C18EF2AE8E7B5805F0F89153793C93F9FBD289181FC9EBF25ACDCD
6600cmd.exeC:\Users\admin\Desktop\约尔8.exetext
MD5:71FF5ACA95779907300C2FA33098CA43
SHA256:ADE3BDDA02650306B6AD86BAB1DDCFEEC5DE5E2DAB45A5474D8FDED812B357C5
6600cmd.exeC:\Users\admin\Desktop\约尔7.exetext
MD5:558140ED623E3BC0BBEB72B0106ADBB4
SHA256:0ACF742A6EF5BA9ADA80B0673C3ABD62B6ED176364A15E57D415469E93CA7596
6600cmd.exeC:\Users\admin\Desktop\约尔18.exetext
MD5:74A7253CA91E3F64CF4805649E9C10F6
SHA256:96177C1675A91EAA8C735F354F44A2C531CC2E7A3AF36EDF462FE44E80020D5E
6600cmd.exeC:\Users\admin\Desktop\约尔17.exetext
MD5:313010E2BEA51C1A8A9DD330635D53C3
SHA256:9E76BC5E7EF96E3136397FE9488C358F383CB59887FD9DE90868CF87D049DB80
6600cmd.exeC:\Users\admin\Desktop\约尔11.exetext
MD5:BD5EEB425A04F09EDE815415DF7E71BF
SHA256:BD1F3EDB5C347D1715DAAFDD003F96CB1262E24C0986BEA3D7EB600EF8019A6A
6600cmd.exeC:\Users\admin\Desktop\约尔5.exetext
MD5:458C23E77F658D35A2AB50F261EFF309
SHA256:E2355C8CD8CDD2E374EC6F32B91A6798EF379C6649A5242A7930F789CFE8E809
6600cmd.exeC:\Users\admin\Desktop\约尔19.exetext
MD5:8852A2BCB49577A6DF57FCEAACDEDADD
SHA256:182A30AC2C029744144BC0CA048046DC53198204B8EC1C41ABA6F98F1A824D42
6600cmd.exeC:\Users\admin\Desktop\约尔16.exetext
MD5:247D39CBCD5B44696072C33E3A4B0ECE
SHA256:8E1C0A8BD039D2307D7EB61BF83687A8D180E6A6101001841312D849A5A37280
6600cmd.exeC:\Users\admin\Desktop\约尔12.exetext
MD5:9EF19663574A05A2E5759515A4F64132
SHA256:FD515D8E5313E0FB758A3AC7EC231A6472443158978102A1F61A686550D394C5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
104.126.37.128:443
https://www.bing.com/rb/16/jnc,nj/0SrfjVbd4BJYe5wzcCR3l-BPV6c.js?bu=Dis0e4gBjwGSAYUBfoIBxwHKATS-Ac0B&or=w
unknown
binary
21.5 Kb
whitelisted
GET
200
104.126.37.154:443
https://www.bing.com/rb/19/cir3,ortl,cc,nc/FgBbpIj0thGWZOh_xFnM9i4O7ek.css?bu=C9oJ6wPsBLYKmwmFCY0HbW1tbQ&or=w
unknown
text
19.8 Kb
whitelisted
GET
200
104.126.37.123:443
https://www.bing.com/rb/6k/cir3,ortl,cc,nc/2u1i5bXJCKdk4jOb70d5CjAHxg4.css?bu=M8cKwQrNCsEKsQvBCrcLwQrBCsEKwgvBCskLwQrPC8EK1QvBCtsLwQrfCsEK5QrBCtkKwQrBCqgLwQr0CsEK-grBCu4KwQqAC4oLjQvBCsEKpQuTC8EKmQucC8EKhwzBCuELwQrADA&or=w
unknown
text
444 Kb
whitelisted
GET
200
104.126.37.128:443
https://www.bing.com/rb/6k/ortl,cc,nc/fvNdnrKxhhxDQUEi09cCaSWpzzE.css?bu=Ca0MwQqyDMEKtgzBCsEKwQrBCg&or=w
unknown
text
428 Kb
whitelisted
GET
200
104.126.37.123:443
https://www.bing.com/rb/3D/ortl,cc,nc/VbCw90KbfciOAAXUwrx6Ers36VI.css?bu=A4gCjAKPAg&or=w
unknown
text
15.5 Kb
whitelisted
GET
200
104.126.37.144:443
https://www.bing.com/rp/1giEXriiR3EOVRN7C9sblV6Vn-s.br.js
unknown
binary
300 Kb
whitelisted
GET
200
104.126.37.123:443
https://www.bing.com/rb/6k/ortl,cc,nc/QNBBNqWD9F_Blep-UqQSqnMp-FI.css?bu=AcEK&or=w
unknown
text
6 b
whitelisted
GET
200
104.126.37.176:443
https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
unknown
html
125 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.145:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4588
SearchApp.exe
104.126.37.163:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.145
  • 23.48.23.162
  • 23.48.23.143
  • 23.48.23.193
  • 23.48.23.169
  • 23.48.23.173
  • 23.48.23.158
  • 23.48.23.194
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.bing.com
  • 104.126.37.163
  • 104.126.37.154
  • 104.126.37.136
  • 104.126.37.123
  • 104.126.37.130
  • 104.126.37.176
  • 104.126.37.139
  • 104.126.37.128
  • 104.126.37.144
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
F0EB0_P4rr0tCr4sh3r.bat